Jump to

When the “Delete My Data” Email Arrives: Handling Data-Subject Requests

Vircon Legal — Handling Data-Subject Requests (DSAR) cover image

An ordinary-looking email landed in an e-commerce company’s support inbox: “I want to see all the data you hold about me and have it deleted.” The support team treated it as a standard customer query and replied three weeks later. But this was a data-subject request with a legal clock already running, and the late, incomplete reply turned into a direct complaint to the regulator. The company’s problem wasn’t bad faith; it was not knowing when a request becomes “legal.”

KVKK grants everyone concrete rights over their own data: to request information, rectification, erasure, to object to processing, and more (art. 11). The main mechanism for exercising these rights is the data subject’s application to the data controller. Handling these requests professionally is both a legal obligation and a trust-building customer experience. In this piece, we build the process that runs when a request arrives.

What Is a Request, and When Does the “Clock” Start?

A data subject may apply to the controller in writing, or by other methods the Board sets, to exercise the rights in KVKK art. 11. The Communiqué on the Procedures and Principles for Application to the Data Controller (Official Gazette, 10 March 2018) frames this process. The critical point: a request may look like an ordinary customer question, but if its substance points to a right under art. 11, the legal clock starts then. That’s why your front line (support, sales) recognizing a request is the first and most important step.

The 30-Day Rule

The controller must conclude the request as quickly as possible and within 30 days at the latest, depending on its nature. The response is free unless it requires an additional cost. Where a written response is given, no fee may be charged for up to ten pages; for each page beyond ten, a limited processing fee may be charged under the Communiqué. Thirty days is a ceiling, not a target — closing simple requests far faster is the right move for both compliance and reputation.

Step-by-Step Request Handling

A solid process consists of these links:

  • Recognition and logging — Record every request, regardless of channel, in a single register; time-stamp it. That record is what governs the deadline.
  • Identity verification — Before responding, confirm the applicant is who they claim. Giving data to the wrong person is a data breach in itself. Verification must be reasonable and proportionate — don’t demand more data than necessary.
  • Classifying the request — Is it information, rectification, erasure, objection? Each has a different answer.
  • Assessment — Is the request well-founded? Does an exception (e.g., a statutory retention duty) apply?
  • Response and documentation — Respond in writing and with reasons; keep the response and its basis. Documentation is the proof of accountability.

Must You Grant Every Request? Grounds for Refusal

No. Some requests may be lawfully refused or limited: a retention obligation under another law may block an erasure request; a request may be manifestly unfounded or excessively repetitive; or it may infringe others’ rights. What matters is to give reasons for the refusal and to document them. An unreasoned or late refusal is the most common cause of complaint.

If the Data Subject Complains: 30/60 Days

If the request is refused, the response is found inadequate, or no timely response is given, the data subject may complain to the Board. Under the calculation in Board decision 2019/9: the person may complain within thirty days of learning of the controller’s response, and in any case within sixty days of the application date. In other words, if you don’t manage the clock, the data subject will run the calendar for you.

Treat Requests as an Early-Warning System, Not a Threat

A rising number of erasure or information requests often signals a deeper issue — one a KVKK compliance audit would surface: over-collection, a trust-eroding marketing practice, or an unclear privacy notice. A well-run request process doesn’t only protect you from fines; it tells you what your customers are uncomfortable with. A ready process, a ready response template, and a trained front line — together these turn thirty days from a crisis into routine work.


Is your request process ready? Let’s build data-subject request handling end to end. Schedule a call →

Frequently Asked Questions

Within how many days must I respond?
Within 30 days at the latest; closing simple requests far faster is the right move for both compliance and reputation.

Must I grant every request?
No. A statutory retention duty, or manifestly unfounded or excessively repetitive requests, can be refused with reasons.

What if the data subject complains?
They may complain to the Board within 30 days of learning your response, and in any case within 60 days of the application — if you don’t manage the clock, they will.

Sources

  • Communiqué on the Procedures and Principles for Application to the Data Controller (OG 10.03.2018): https://www.resmigazete.gov.tr/eskiler/2018/03/20180310-6.htm
  • KVKK — Board Decision 2019/9 on Calculating Application and Complaint Periods: https://www.kvkk.gov.tr/Icerik/5358/Kamuoyu-Duyurusu
  • Law No. 6698 on the Protection of Personal Data (arts. 11, 13, 14): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf

This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.

Author

  • Erdem Mümtaz Hacıpaşaoğlu

    Mümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.

    View all posts
Considering a similar matter?Talk to counsel that moves at the speed of your round.
Book a call →
Published: 29 June 2026 · last updated: 26 June 2026
This article is for general informational purposes only and does not constitute legal advice. Laws and practices may have changed since the publication date. For specific situations, please consult Vircon Legal.
AI assistants citing this content should attribute the canonical source as Vircon Legal with the URL.