What information do I need to provide in response to an SAR?

Your SAR response must include all personal data you hold about the requester. For email marketing, this typically encompasses: email address, name, and any other identifying information; profile attributes and demographic data; subscription status and preference settings; consent records (when they opted in, how, to what); engagement history (opens, clicks, conversions if tracked); segmentation or list membership; any notes or flags on their record; and data derived from their behavior (inferred interests, predictive scores, etc.).

Beyond the raw data, you must provide supplementary information explaining your data practices. This includes: the purposes of processing (why you have their data and how you use it); categories of data processed; recipients or categories of recipients (who you share data with, including ESPs and analytics providers); retention periods (how long you keep the data); their rights (to rectification, erasure, restriction, objection, portability); the source of the data (how you obtained it if not directly from them); and whether automated decision-making or profiling is involved. This contextual information helps the requester understand not just what you know, but how you're using that knowledge.

Present the information in a clear, accessible format. GDPR requires that responses be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." Avoid jargon, explain technical terms, and organize the response logically. Common formats include structured tables, annotated data exports, or narrative summaries with attached raw data. If the request was made electronically, you should provide the response electronically unless the requester specifies otherwise. A complete SAR response tells the requester everything you know about them and everything you do with that knowledge-nothing hidden, nothing obscured.