How do you handle DSAR/erasure requests?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Someone emails you asking what data you hold on them, or demanding you delete everything. Maybe it's a former customer, maybe it's someone who never signed up in the first place. Either way, you've just received a Data Subject Request, and you've got a legal obligation to respond. Here's how to actually handle it.

First, what kind of request is it?

A Data Subject Access Request (DSAR) means the person wants to know what data you hold about them. An erasure request (also called a "right to be forgotten" request under GDPR) means they want it deleted. These are different obligations, though the process for verifying and handling them is similar. CCPA gives California residents similar rights under different terminology, but the mechanics are broadly the same.

Step 1: Verify the request is legitimate

Before you do anything, confirm the person is who they say they are. You don't need to make this painful, but you do need reasonable assurance. A reply from the same email address they used to sign up is usually enough. If someone claims to be managing a request on behalf of another person, ask for written authorization.

Under GDPR you have 30 days to respond (extendable to 90 days for complex cases, but you must notify them within the first 30). Don't let this sit in your inbox.

Step 2: Find all the data you actually hold

This is where things get uncomfortable if your data is scattered. For a typical email setup, check these places:

  • Your ESP (subscriber profile, tags, segments, engagement history, open and click data)
  • Your CRM (contact record, purchase history, notes, custom fields)
  • Your suppression list (whether they previously unsubscribed or bounced)
  • Any third-party integrations (Zapier flows, lead capture tools, e-commerce connectors)
  • Your own database (if you built a custom signup form that writes to a backend)

ESPs like Mailchimp, Klaviyo, HubSpot, and Brevo all have built-in GDPR tools to export or delete a contact's data. Most have a "forget contact" or "delete subscriber" function in the contact profile. Know where yours is before you need it.

Step 3: For a DSAR (access request)

So you need to provide a copy of all data you hold about that person in a readable format. This includes what data you collected, why you collected it, how long you intend to keep it, and who you've shared it with (including your ESP, CRM, or any data processors). A plain-language email with an attached CSV export from your ESP is usually sufficient.

Step 4: For an erasure request

But this is the one that trips people up. "Delete everything" does not mean you can legally send to them again next month. You need to:

  • Delete their full subscriber profile (name, custom fields, engagement history, tags)
  • Remove them from your active list
  • Keep a hashed or suppressed record of their email address so your system knows never to add them back

That last point is critical. If you delete everything and someone re-imports a list that includes their address, they'd get emailed again, which could be a compliance violation on top of an annoyance. The suppression record isn't "keeping their data" in a meaningful sense. It's a safety lock. You can read more about why suppression and deletion aren't the same thing legally in the next question.

Step 5: Confirm and document

Send a brief confirmation to the requester once you've acted. Keep a record of the request, when you received it, what you did, and when you responded. If you're ever audited, this is the paper trail that shows you took it seriously.

A note on scope

GDPR applies to anyone whose data you hold who is based in the EU or UK, regardless of where your business is. CCPA applies to California residents. Other regions have their own rules. If you're sending email globally, assume you could receive a request from anyone and build a simple process now rather than scrambling later. Understanding your data retention policy is the natural place to start before you get your first request.

If this is your first DSAR and you're not sure whether your setup handles it cleanly, feel free to reach out through our SOS hotline. No pitch, just help.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map this process to my setup

I read this on the Email Almanac about handling DSAR and erasure requests for email. I need help mapping this process to my specific setup. Based on the details I share below, can you: 1. Tell me exactly where in my tools I need to look to find all data about a subscriber 2. Walk me through how to export or delete data in my specific ESP 3. Flag any gaps in my current process (data I might be missing, retention issues) 4. Draft a simple response template I can send back to someone who submits a DSAR or erasure request My details: - ESP/email platform: e.g. Mailchimp, Klaviyo, HubSpot, custom - CRM (if separate): e.g. Salesforce, HubSpot, none - Any other tools that store subscriber data: e.g. Shopify, Zapier, lead capture form, custom database - Regions I send to: e.g. EU, UK, US, global - Do I have a current suppression list: yes / no / unsure - Have I received a DSAR or erasure request before: yes / no - Do I have a privacy policy and DPA with my ESP: yes / no / unsure

Edit the yellow boxes, then send to the AI of your choice.