What rights do individuals have under GDPR (e.g., access, deletion)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your EU subscribers have rights over their data, and GDPR requires you to be able to honor them. Here's what you're likely to encounter as an email sender.

Right of Access. Subscribers can ask what data you hold on them and request a copy. For email programs, this typically means contact details, signup date, consent records, and send history.

Right to Rectification. They can ask you to correct inaccurate information. Straightforward.

Right to Erasure (the "right to be forgotten"). They can ask you to delete their data. This is different from an unsubscribe. An unsubscribe usually creates a suppression record so you don't email them again. A deletion request means removing their data from your systems entirely. The two can conflict: if you delete them completely, you lose the suppression record. Most senders keep a minimal suppression entry (email address only, no personal data) and delete everything else. Check what your ESP supports.

Right to Data Portability. They can request their data in a structured, machine-readable format to take elsewhere.

Right to Object. For direct marketing, this right is absolute. If someone objects to receiving marketing from you, you stop. Full stop.

You have one month to respond to any rights request. Complex requests can extend to three months if you notify the person. You can't charge a fee for standard requests.

Still the most practical step: make sure your ESP can export or delete a subscriber's data on request. If it can't, GDPR compliance gets much harder. If you've received a rights request and aren't sure how to respond, our SOS call is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me figure out how to honor GDPR rights requests for my specific setup.

I read this on the Email Almanac about the rights individuals have under GDPR. I want to make sure I can actually honor these rights if a subscriber requests them. My situation: 1. Can my ESP export all data for a specific subscriber on request? yes / no / unsure 2. Can I delete a subscriber's data while keeping a suppression record? yes / no / unsure 3. Have I received any data access or deletion requests? yes, here's what happened / no / unsure 4. Do I have a way for subscribers to request their data (a form or contact address)? yes / no 5. Is there anything other than my ESP where subscriber data lives? CRM / analytics / custom database / other --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, Klaviyo, HubSpot - Domain(s): your sending domain - Audience locations: EU / UK / US / global - Business type: B2B / B2C / newsletter / e-commerce - Privacy policy in place: yes / no / in progress - Do I have a Data Processing Agreement with my ESP? yes / no / unsure

Edit the yellow boxes, then send to the AI of your choice.