Handling SAR and RTE Requests: Roles, Responsibilities & Process

Understanding Roles and Why They Matter

When running marketing campaigns with Sopro, both parties have specific responsibilities under data protection law. Sopro acts as your Data Processor, meaning we process prospect data strictly under your instruction and in line with GDPR requirements. You, as the client, are the Data Controller, which means you determine the purpose and means of processing that data.

This distinction is important because, as the Data Controller, you are legally responsible for responding to any data subject requests, such as Subject Access Requests (SARs) or Right to Erasures (RTEs), that may arise during or after a campaign. Sopro supports you by providing access to all relevant data through the Sopro portal, but the responsibility for managing, responding to, and recording these requests rests with your organisation.

Your Responsibilities as the Data Controller

As the Data Controller, your organisation is responsible for managing and responding to any data subject requests (such as SARs and RTEs) in line with GDPR requirements.

1. Acknowledge and Manage Requests

  • Identify and confirm any SAR or RTE requests received and respond within the required GDPR timeframe.

2. Provide Complete Responses

  • Use the Sopro Portal to access and export relevant data, then combine this with any information held in your own systems before sending a full response.

3. Communicate with the Prospect

  • Ensure your response includes all necessary GDPR details and is sent directly to the individual.

4. Process RTE Requests

  • Delete the individual’s data from both the Sopro Portal and your internal systems, and update suppression lists to prevent future contact.

5. Maintain Records

  • Keep a clear log of all requests and actions taken to demonstrate compliance if required.

SAR vs. RTE – What’s the Difference?

  • Subject Access Request (SAR): An individual asks for access to all personal data your organisation holds about them, along with information about how and why it’s processed.
  • Right to Erasure (RTE): An individual asks for their personal data to be deleted (“the right to be forgotten”) from all systems and records where it i stored.

SAR handling: General Guidance

Disclaimer: The text below is provided by Sopro (the “Company”) for informational and illustrative purposes only. It is intended to serve as a general guideline and starting point for clients on handling SARs following a Sopro campaign. The Company is not a law firm, and neither the Company nor its employees are providing legal advice. This guidance is not a substitute for legal advice from a qualified attorney licensed in your jurisdiction. The information contained in this guidance may not be applicable or suitable for your specific circumstances. Please refer to your internal policies to ensure they accurately reflect your practices.

1. SAR receipt and acknowledgement

  • Identify the SAR
  • As soon as a request referencing personal data is received, recognise it as a SAR
  • Note the date and time of receipt to start the one-month GDPR response clock

2. Activate your internal SAR process and follow the steps as described there – additionally, you might need to:

  • Log in to the Portal
  • Access the Sopro portal, where all relevant campaign and prospect data is stored
  • Use portal filters or search functionality by email address to identify all records associated with the requesting individual
  • Generate the Excel/CSV Export
  • From within the portal, export the prospect’s data (e.g., the fields you listed: Name, Email, Title, Social links, Email logs, etc.)
  • Combine with other data sources (if necessary)
  • If you store additional data about the prospect outside of the portal (e.g., in your CRM or email inbox), gather that information as well
  • GDPR requires providing all personal data you hold about the individual, not just what exists in Sopro

3. Template responses on the portal

  • Refer to the sample responses available on the portal as a guideline when responding to prospects with compliance-related questions
  • Please note that these templates are provided for general informational purposes only and do not constitute legal advice. For legal guidance, please consult a qualified attorney licensed in your jurisdiction, and follow your internal policies to ensure they accurately reflect your organisation’s actual practices

Source of prospect data

In cases where the prospect asks for the source of the data (e.g., ‘Where did you get my email address from? I don’t have it on LinkedIn’), you can use the sample text below to provide this additional information to the prospect:

“We obtained your details from publicly available sources, such as LinkedIn, and verified your email address through a trusted third-party service. We work with trusted digital marketing agents as data processors, which involves obtaining and processing personal information. For transparency, one of our appointed data
processors is:

(i) Prospect Global Ltd (trading as Sopro), registered in the UK under company number 09648733. You can contact Sopro and view their privacy policy at http://sopro.io. Sopro is registered with the Information Commissioner’s Office (ICO) under registration number ZA346877. Their Data Protection Officer can be reached at dpo@sopro.io. “

RTE handling: General Guidance

Disclaimer: The text below is provided by Sopro (the “Company”) for informational and illustrative purposes only. It is intended to serve as a general guideline and starting point for clients on handling RTE’s following a Sopro campaign. The Company is not a law firm, and neither the Company nor its employees are providing legal advice. This guidance is not a substitute for legal advice from a qualified attorney licensed in your jurisdiction. The information contained in this guidance may not be applicable or suitable for your specific circumstances. Please refer to your internal policies to ensure they accurately reflect your practices.

1. Identify and acknowledge the request

  • Acknowledge receipt of the RTE
  • As soon as you receive a message (e.g., email or phone call) from a prospect requesting erasure of their personal data, record the date and time.
  • Recognise this as a Right to Erasure (RTE) request under Article 17 of GDPR

2. Activate your internal RTE process and follow the steps as described there

  • Initiate deletion in the portal – access your Sopro client portal with your credentials and locate the prospect’s record
  • Select “Submit data removal request” – this means that the prospect will be removed from the campaign and their details will be anonymised

3.Delete prospect data from other systems (if applicable)

  • If you store any of the individual’s data outside the Sopro portal (CRM, email marketing software, local files, etc.), ensure you delete or anonymise it there as well – unless a lawful retention reason exists (e.g. legal obligation to keep certain details for regulatory purposes under GDPR)
  • To avoid inadvertently contacting this individual in the future, add their email or hashed identifier to internal suppression lists, as well as the exclusion list on the portal
Return to top