GDPR data subject request response email templates for subject access requests and right to erasure requests. Fill in request details and send a compliant, consistent response within the one-month deadline.
Dear [Requester name],
Thank you for your Subject Access Request received on [Date request was received]. We are writing to confirm receipt and to provide our response in accordance with Article 15 of the UK/EU General Data Protection Regulation (GDPR).
IDENTITY VERIFICATION
Include if applicable: Before we proceed, we are required to verify your identity to ensure that we do not disclose personal data to an unauthorised party. We have confirmed your identity [e.g. using the information you provided / and are satisfied that you are the data subject named above]. Or: Please provide [Requested verification details] so that we can proceed with your request.
CONFIRMATION OF PROCESSING
We can confirm that [VALUE("Organization")] [] process personal data relating to you.
If processing is confirmed, include the following sections:
YOUR PERSONAL DATA
We have enclosed / are attaching a copy of the personal data we hold about you. This data comprises:
[List the categories of personal data provided — e.g. name and contact details, account history, communications records]
INFORMATION ABOUT OUR PROCESSING
In accordance with Article 15(1) of the GDPR, we are providing the following information about our processing of your personal data:
Purposes of processing: [Describe the purposes — e.g. to fulfil our contract with you, to comply with legal obligations, for legitimate business interests]
Legal basis for processing: [State the legal basis under Art. 6 GDPR — e.g. contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f))]
Categories of personal data: [List categories — e.g. identification data, contact data, financial data, usage data]
Recipients: [Identify recipients or categories of recipients — e.g. payment processors, IT service providers, regulatory bodies]
Retention period: [State how long the data is held or the criteria used — e.g. retained for X years from end of relationship with you]
Source of data: [If data was not collected directly from the data subject, state the source]
Automated decision-making: [State whether automated decision-making or profiling is used, and if so, the logic involved and its significance]
YOUR RIGHTS
You have the following rights in relation to your personal data: the right to request rectification of inaccurate data (Art. 16), the right to request erasure in certain circumstances (Art. 17), the right to restriction of processing (Art. 18), the right to object to processing (Art. 21), and the right to data portability (Art. 20).
You also have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, please contact the supervisory authority in your country of residence.
If you have any questions about this response or wish to exercise any of your other rights, please contact us at [Data protection contact email].
Yours sincerely,
[VALUE("Author.FullName")]
[Sender title or job title]
[VALUE("Organization")]
[VALUE("Author.EmailAddress")]
Dear Requester name,
Thank you for your Subject Access Request received on Date request was received. We are writing to confirm receipt and to provide our response in accordance with Article 15 of the UK/EU General Data Protection Regulation (GDPR).
IDENTITY VERIFICATION
Include if applicable: Before we proceed, we are required to verify your identity to ensure that we do not disclose personal data to an unauthorised party. We have confirmed your identity e.g. using the information you provided / and are satisfied that you are the data subject named above. Or: Please provide Requested verification details so that we can proceed with your request.
CONFIRMATION OF PROCESSING
We can confirm that =VALUE("Organization") Select process personal data relating to you.
If processing is confirmed, include the following sections:
YOUR PERSONAL DATA
We have enclosed / are attaching a copy of the personal data we hold about you. This data comprises:
List the categories of personal data provided — e.g. name and contact details, account history, communications records
INFORMATION ABOUT OUR PROCESSING
In accordance with Article 15(1) of the GDPR, we are providing the following information about our processing of your personal data:
Purposes of processing: Describe the purposes — e.g. to fulfil our contract with you, to comply with legal obligations, for legitimate business interests
Legal basis for processing: State the legal basis under Art. 6 GDPR — e.g. contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f))
Categories of personal data: List categories — e.g. identification data, contact data, financial data, usage data
Recipients: Identify recipients or categories of recipients — e.g. payment processors, IT service providers, regulatory bodies
Retention period: State how long the data is held or the criteria used — e.g. retained for X years from end of relationship with you
Source of data: If data was not collected directly from the data subject, state the source
Automated decision-making: State whether automated decision-making or profiling is used, and if so, the logic involved and its significance
YOUR RIGHTS
You have the following rights in relation to your personal data: the right to request rectification of inaccurate data (Art. 16), the right to request erasure in certain circumstances (Art. 17), the right to restriction of processing (Art. 18), the right to object to processing (Art. 21), and the right to data portability (Art. 20).
You also have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, please contact the supervisory authority in your country of residence.
If you have any questions about this response or wish to exercise any of your other rights, please contact us at Data protection contact email.
Yours sincerely,
=VALUE("Author.FullName")
Sender title or job title
=VALUE("Organization")
=VALUE("Author.EmailAddress")
Dear [Requester name],
Thank you for your request for erasure of your personal data, received on [Date request was received]. We are responding in accordance with Article 17 of the UK/EU General Data Protection Regulation (GDPR).
We have reviewed your request and our lawful basis for retaining your personal data and can confirm the following:
Use the appropriate section below and delete the other.
OPTION A — ERASURE CONFIRMED IN FULL
We can confirm that we have permanently deleted all personal data we hold about you from our systems and records. This deletion was completed on [Deletion completion date].
If data was shared with third parties: In accordance with Article 17(2) of the GDPR, we have also notified the following third parties to whom your personal data was previously disclosed and requested that they erase it: [List third parties notified, or state the relevant processors and partners who had access to your data]
Please note that we may retain a minimal record of this request and its outcome in order to demonstrate compliance with our legal obligations. This record does not include your substantive personal data.
OPTION B — PARTIAL ERASURE (SOME DATA RETAINED ON LAWFUL GROUNDS)
We have deleted the following personal data: [Describe what has been deleted]
However, we are unable to erase the following data at this time: [Describe what has been retained and why]
We retain this data on the following lawful grounds under Article 17(3) of the GDPR: [State the applicable ground — e.g. compliance with a legal obligation / establishment or defence of legal claims / other ground under Art. 17(3)]
We will delete this data when the applicable retention obligation has been fulfilled.
OPTION C — ERASURE DECLINED (LAWFUL GROUNDS APPLY IN FULL)
After reviewing your request, we are unable to erase your personal data at this time. We retain your data on the following lawful grounds under Article 17(3) of the GDPR: [State the applicable ground(s) and explain briefly]
We will review this position [e.g. at the end of the applicable retention period / when legal proceedings conclude / as circumstances change].
YOUR RIGHTS
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, please contact the supervisory authority in your country of residence. You also have the right to seek judicial remedy.
If you have any questions about this response, please contact us at [Data protection contact email].
Yours sincerely,
[VALUE("Author.FullName")]
[Sender title or job title]
[VALUE("Organization")]
[VALUE("Author.EmailAddress")]
Dear Requester name,
Thank you for your request for erasure of your personal data, received on Date request was received. We are responding in accordance with Article 17 of the UK/EU General Data Protection Regulation (GDPR).
We have reviewed your request and our lawful basis for retaining your personal data and can confirm the following:
Use the appropriate section below and delete the other.
OPTION A — ERASURE CONFIRMED IN FULL
We can confirm that we have permanently deleted all personal data we hold about you from our systems and records. This deletion was completed on Deletion completion date.
If data was shared with third parties: In accordance with Article 17(2) of the GDPR, we have also notified the following third parties to whom your personal data was previously disclosed and requested that they erase it: List third parties notified, or state the relevant processors and partners who had access to your data
Please note that we may retain a minimal record of this request and its outcome in order to demonstrate compliance with our legal obligations. This record does not include your substantive personal data.
OPTION B — PARTIAL ERASURE (SOME DATA RETAINED ON LAWFUL GROUNDS)
We have deleted the following personal data: Describe what has been deleted
However, we are unable to erase the following data at this time: Describe what has been retained and why
We retain this data on the following lawful grounds under Article 17(3) of the GDPR: State the applicable ground — e.g. compliance with a legal obligation / establishment or defence of legal claims / other ground under Art. 17(3)
We will delete this data when the applicable retention obligation has been fulfilled.
OPTION C — ERASURE DECLINED (LAWFUL GROUNDS APPLY IN FULL)
After reviewing your request, we are unable to erase your personal data at this time. We retain your data on the following lawful grounds under Article 17(3) of the GDPR: State the applicable ground(s) and explain briefly
We will review this position e.g. at the end of the applicable retention period / when legal proceedings conclude / as circumstances change.
YOUR RIGHTS
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, please contact the supervisory authority in your country of residence. You also have the right to seek judicial remedy.
If you have any questions about this response, please contact us at Data protection contact email.
Yours sincerely,
=VALUE("Author.FullName")
Sender title or job title
=VALUE("Organization")
=VALUE("Author.EmailAddress")
These templates are a starting point. GDPR compliance requirements are complex and jurisdiction-specific — consult a qualified data protection professional before implementing these templates as part of your formal compliance process.
What's included
Each snippet auto-populates the following fields when used in WordFields:
- Requester name and date the request was received
- Confirmation of processing status and categories of personal data held
- Purposes and legal bases for processing (SAR variant)
- Recipients, retention periods, and data sources (SAR variant)
- Deletion confirmation date and third parties notified (erasure variant)
- Lawful grounds for retention where erasure is partially or wholly declined
- Data protection contact email and supervisory authority reference
- Sender name, email, and organisation name (pulled from the logged-in user and workspace automatically)
When to use
Subject Access Request (SAR) Response: Use this snippet when an individual — a customer, employee, former employee, supplier contact, or website visitor — formally requests a copy of the personal data your organisation holds about them and information about how that data is processed. Under Article 12(3) of the GDPR, you have one calendar month from receipt of the request to respond. The clock starts on the date the request is received, regardless of when internal review begins, which makes having a ready-to-use response template operationally significant. The identity verification section should be completed before any personal data is disclosed — you must take reasonable steps to confirm the requester is who they claim to be. For organisations that receive SARs with some regularity, storing this template in a shared WordFields workspace ensures every team member — not just the Data Protection Officer — can initiate a consistent, legally structured acknowledgement within hours of receipt.
Right to Erasure Response: Use this snippet when an individual requests the deletion of their personal data under Article 17 of the GDPR. The template is structured with three conditional options — full erasure confirmed, partial erasure with retained data explained, and erasure declined with lawful grounds stated — and the sender selects the appropriate option and deletes the others before sending. The most common lawful grounds for retaining data despite an erasure request are compliance with a legal obligation (for example, statutory accounting retention requirements), and the establishment or defence of legal claims. Where erasure is declined or partial, you must inform the requester of their right to complain to the supervisory authority. The privacy policy update notice is the companion template for proactively communicating changes in how your organisation processes personal data.
Frequently asked questions
What is a data subject request under GDPR?
A data subject request (DSR) is a formal request from an individual exercising one of their rights under the GDPR. The most common types are a Subject Access Request (SAR) under Article 15, where the individual requests a copy of the personal data you hold about them and information about how it is processed, and a Right to Erasure request under Article 17, where the individual asks you to delete their personal data. Controllers must respond to both within one calendar month of receipt.
How long do you have to respond to a GDPR data subject request?
Under Article 12(3) of the GDPR, you must respond to a data subject request without undue delay and in any event within one calendar month of receiving the request. Where requests are complex or numerous, this deadline can be extended by up to two further months, but you must notify the individual within the first month that an extension is being taken and explain why. The one-month clock starts from the date the request is received, not from when it is acted upon.
What must a Subject Access Request response include?
A SAR response must confirm whether you are processing personal data about the individual, and if so, provide: a copy of that data, the purposes for which it is processed, the categories of data involved, the recipients or categories of recipients to whom data has been disclosed, the retention period or criteria used to determine it, information about the individual's rights (rectification, erasure, restriction, objection), and the right to lodge a complaint with the relevant supervisory authority. Responses must be provided free of charge and in a commonly used electronic format.
When can you refuse a right to erasure request?
Under Article 17(3) of the GDPR, the right to erasure does not apply where processing is necessary for: compliance with a legal obligation, the performance of a task in the public interest, or the establishment, exercise, or defence of legal claims. Erasure can also be refused if the request is manifestly unfounded or excessive. Where you refuse a request, you must inform the individual of the reasons and of their right to complain to the supervisory authority and seek judicial remedy.
Do you need to verify the identity of someone making a data subject request?
Yes — before fulfilling a data subject request, you should take reasonable steps to verify that the requester is who they claim to be. For existing customers or employees, this may be as simple as confirming their registered email address or account details. For individuals you cannot readily identify, you may request additional information, but you should not demand disproportionate evidence. The identity verification process should not create unnecessary barriers to the exercise of data subject rights.
Does GDPR apply if we only have a few customers in the EU?
GDPR applies to any organisation that processes the personal data of individuals in the EU, regardless of the organisation's size or location. If you have customers, employees, or any other data subjects located in the EU — even a small number — and you process their personal data, GDPR obligations apply to that processing. The number of EU data subjects does not create a threshold below which the regulation does not apply.
How does WordFields help teams respond to GDPR data subject requests consistently?
WordFields stores your GDPR response snippets in a shared workspace so every team member responds from the same approved templates. Open the snippet, fill in the requester's details, the date the request was received, and the relevant data processing information, and copy the completed response to your clipboard or insert it directly into your email client via the Chrome extension. Consistent, compliant responses every time — without drafting from scratch under a one-month deadline.
Related legal & compliance templates
Explore more professional document and email templates you can copy, customize, and use immediately
