Back to all articles

Your GDPR rights that matter most after a cold call

Bryn Thompson

By Bryn ThompsonUpdated 19 May 20265 min read

We’ve all been there: you pick up the phone expecting an important update, only to be met by an aggressive cold caller trying to sell you something you never asked for. It’s incredibly frustrating, but you aren’t powerless. While the Telephone Preference Service (TPS) helps, UK data protection laws give you a much bigger stick to fight back with. Under the UK GDPR, your phone number is your personal data, and companies can’t just use it however they please. In this guide, we break down your legal rights, how rogue callers exploit loopholes, and exactly how you can use a simple data request to force them to delete your number forever.

1) Subject Access Request (SAR): “Show me what you hold on me”

A Subject Access Request is you asking a company for the personal data they hold about you and related information.

The ICO (the UK regulator) is clear: a SAR can be made verbally or in writing, and you’re entitled to a copy of your personal data plus supplementary info.

What a SAR can reveal

  • What data they hold (name, number, address, notes, call recordings, marketing profile)
  • Where they got it (data source / list provider)
  • Who they’ve shared it with
  • Why they think they’re allowed to use it (their “lawful basis” explanation)
  • How long they plan to keep it

Time limits

  • They generally must respond within 28 days
  • They can extend by up to two more months if it’s complex or they’ve had many requests, but they should tell you.

2) Right to erasure: “Delete my number”

You can ask a company to delete your personal data in certain situations.

The ICO notes they must respond without undue delay and within one month.

Important practical point: even if they don’t delete everything (because they claim a reason to keep some records), they should still stop using your data for marketing and keep only what’s needed to ensure you’re not contacted again (a suppression record).

3) Right to object to direct marketing: “Stop marketing to me”

This is the workhorse right for unwanted sales contact.

If the call is marketing, you can object. A compliant company should stop and add you to their internal do-not-call list.

How do companies get your number in the first place?

In most cold call situations, your number comes from one of these routes:

  • You gave it to them (online quote form, competition entry, “partner offers” tick box)
  • They bought or rented a marketing list (from a data broker)
  • They scraped or sourced it from public/online sources (sometimes in ways that break rules)
  • A previous relationship (you were once a customer, or interacted with the brand)

A SAR is the cleanest way to force a proper answer because it requires them to disclose what they hold and provide context.

How to formally demand removal: copy-and-paste templates

Template 1: “Stop calling me” (objection to marketing)

Send this to their privacy email or customer support email.

Subject: Objection to Direct Marketing – Remove My Number

Body:

I am formally objecting to the use of my personal data for direct marketing.

Please add my number to your internal do-not-call list and confirm in writing that you will not contact me again for marketing purposes.

My number: [your number]
Date/time of your call: [date/time]
Any reference you gave me: [reference]

Template 2: SAR (Subject Access Request)

Subject: Subject Access Request (SAR)

Body:

This is a Subject Access Request. Please provide:

  1. All personal data you hold about me (including my phone number and any notes, recordings, call logs, marketing profiles).
  2. The source of my data (how you obtained my number, including the name of any third-party list provider).
  3. The purposes for processing and your lawful basis.
  4. Any recipients or categories of recipients you have shared my data with.
  5. Your retention period for my data.

My number: [your number]
Date/time of your call: [date/time]

Please respond within the statutory timeframe.

SARs can be made in writing or verbally, and organisations generally must respond within one month.

Template 3: Erasure request (delete my data)

Subject: Request for Erasure of Personal Data

Body:

I am requesting erasure of my personal data held by your organisation, including my phone number and any associated records used for marketing.

Please confirm what you have deleted and what you must retain (if anything) and why.

My number: [your number]
Date/time of your call: [date/time]

The ICO’s guidance notes organisations should respond to erasure requests without undue delay and within one month.

If they ignore you: what to do next

If you’ve told them to stop and they keep calling, or they won’t explain where they got your data, you can escalate:

  1. Complain to the company in writing (keep a paper trail)
  2. Report to the ICO (especially for persistent marketing calls and poor handling of SARs/objections)

PECR sets specific rules for marketing calls, and the ICO is the regulator that publishes guidance and takes enforcement action in this area.

The simple takeaway

If a company cold calls you, you have three practical levers:

  • Object to marketing (fastest way to stop legitimate callers)
  • SAR (forces them to show what they hold and where they got it)
  • Erasure request (pushes deletion, with suppression as the minimum)

If you want, tell me what kind of caller it was (energy, telecoms, finance, “survey”, etc.) and I’ll tailor the