User Data Rights and Deletion

What it is

You have the right to access, correct, delete, and move your personal data, and to object to how Telegram processes it, with the ability to complain to a data protection authority if needed.

Why it matters (compliance & governance perspective)

These rights are legally enforceable under GDPR for EEA users and equivalent frameworks elsewhere, giving users meaningful control over their data held by Telegram.

Consumer impact (what this means for users)

EEA and UK users can request their data, ask for deletion, correct inaccuracies, and file regulatory complaints about Telegram's data practices, all of which are enforceable rights under GDPR rather than discretionary policy commitments.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision reflects GDPR Articles 15-21 (data subject rights including access, rectification, erasure, restriction, portability, and objection) and Article 77 (right to lodge a complaint with a supervisory authority). The policy qualifies these rights with 'in certain circumstances' and 'under applicable data protection legislation,' acknowledging that not all rights apply to all users or all processing activities. For non-EEA users, the availability of equivalent rights depends on their jurisdiction's applicable law. GOVERNANCE EXPOSURE: Low. The enumeration of data subject rights is a standard GDPR-compliant disclosure and represents a consumer-protective provision. The main governance risk is operational: whether Telegram's processes for responding to data subject requests (DSARs) meet the GDPR's one-month response deadline under Article 12, and whether the EDPO representative is adequately resourced to handle request volumes from over one billion users. JURISDICTION FLAGS: EEA users have the most comprehensive rights under GDPR. UK users have parallel rights under UK GDPR. California users have CCPA rights that partially overlap with the enumerated rights (access, deletion, portability) but operate under a different legal framework. Users in jurisdictions without comprehensive data protection laws may have limited ability to enforce these rights in practice. CONTRACT AND VENDOR IMPLICATIONS: Organizations that deploy Telegram and process employee or customer data through it should ensure their own data subject rights procedures account for requests that may require Telegram's cooperation, and should establish workflows for forwarding DSARs to Telegram's EEA representative where appropriate. COMPLIANCE CONSIDERATIONS: Compliance teams should test Telegram's DSAR response process to verify response times and completeness. The policy directs users to contact details in section 12 for rights exercises, which should be reviewed to ensure they are current and functional. The availability of account self-deletion through the app (described in section 10, which was truncated in the provided document) provides an additional practical mechanism users should be aware of.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Cloud Chat Server-Side Storage medium
• Law Enforcement Disclosure of IP and Phone Number medium
• Third-Party Bot Data Access high
• Message Text Sharing with Google and Microsoft for Translation medium
• Legitimate Interests as Sole Legal Basis for Metadata Collection medium
• No Ad Targeting Based on User Data low

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.