How to handle subject-access (DSAR) requests for tracking logs?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A Data Subject Access Request (DSAR) means a subscriber has formally asked to see what personal data you hold about them. Under GDPR and similar regulations, you have one month to respond. For email senders, that data typically includes opens, clicks, unsubscribes, complaints, device types, and IP addresses captured during sending.

What you need to provide

Pull all event records tied to that subscriber's email address: every tracked open with timestamp, every click and the URL clicked, any bounce events, unsubscribe events, and complaint records. You should also explain what the data was used for: segmentation decisions, re-engagement triggers, suppression rules. The subscriber has a right to know not just what you collected but how it was used.

Deliver the records securely. Don't email a CSV of someone's personal data to them unencrypted. A secure download link or a password-protected file is more appropriate. Strip out any records that relate to other subscribers.

Deletion vs. anonymization

Some DSAR requests include or are followed by a right-to-erasure request. Deleting all records isn't always the right response. You may have legitimate grounds to retain some data (for example, suppression records that prevent you from re-adding a subscriber who opted out). In that case, anonymizing the record (removing the email address but keeping the opt-out flag) is often the right approach: you can honor the deletion request for identifiable data while preserving the suppression you need for compliance.

What to do if your ESP holds the data

Your ESP processes data on your behalf. Under GDPR, you're the data controller and the ESP is a data processor. That means the DSAR is your responsibility to fulfill, even though the data lives in your ESP's system. Most major ESPs have export tools or API endpoints that let you pull all event data for a specific subscriber. Know where that is before you receive a request, not after.

If you're not sure what your current data retention setup looks like or whether you can fulfill a DSAR in time, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help Me Prepare for DSAR Requests

I just read the Email Almanac entry on handling DSAR requests for email tracking logs. Help me make sure I can fulfill one correctly if I receive it. Walk me through: 1. How to export all event data for a specific subscriber from my ESP 2. What format and delivery method to use when responding 3. Whether I have legitimate grounds to retain suppression data after a deletion request 4. What documentation I should keep of the DSAR process --- My details (fill in what applies): - ESP or sending platform: Mailchimp / Klaviyo / Brevo / SendGrid / other - Whether my subscribers are EU-based: mostly / some / few - Whether I have DSAR response procedures in place: yes / no / unsure - Whether I store event data outside the ESP: yes, in my own DB / no, only in ESP - How long I retain event data: duration or "unsure"

Edit the yellow boxes, then send to the AI of your choice.