What information do I need to provide in response to an SAR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your SAR response needs to tell the requester everything you know about them. not a summary, not a partial list. Here's what to include for an email marketing contact.
The personal data itself:
- Email address, name, and any other contact or profile data you hold
- Subscription status and preference settings
- Consent records: when they opted in, how (form URL, source), what consent language was shown
- Engagement history: which emails they opened or clicked, if you track this at the individual level
- Any segmentation tags, custom fields, or behavioral attributes you've stored
- Third-party data you've appended (if you've enriched their profile with external data)
The processing information:
- The purposes for which you're processing their data (sending newsletters, personalizing content, etc.)
- Your lawful basis for each processing purpose
- Who you've shared their data with (ESP, CRM, advertising platforms like Facebook or Google, third-party enrichment services)
- How long you intend to keep their data
Their rights: A description of their right to rectification, erasure, restriction, and objection to processing. Under GDPR you're also required to mention the right to lodge a complaint with the supervisory authority.
Format: you can provide this as a structured document, a PDF, or however your system can export it. as long as it's in an "intelligible and accessible" format. Plain language, not legal jargon.
Timeline reminder: you have one calendar month from the date of receipt. For the record-keeping side of this, see DSAR response record-keeping. See also verifying the requester's identity.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.