As mentioned by @deviantfan in a comment, your premise seems wrong.
So, suppose someone writes you askign for additional information (eg. I am moving to Finland next month, do you have a store there?). Let's assume they have dutifully read your privacy policy, which is nevertheless unlikely.
What is the opt-out you think may be required? IANAL, but it seems trivially to me that (unless there is some weird case that needs to be taken into account) you can reply to them (No, sorry, we have no local presence there).
Were you perhaps going to add that person into a mailing list so they get daily/weekly/monthly mails about your products, despite having expressed no desire for that (or only implicitly by sending you an unrelated mail)? I don't recommend doing that, but in that case, I certainly would mention in the reply that they would start receiving your spam unless they opted-out. Are you even automatically adding to such mailing list any mail that you receive? (even worse, since the email could be spoofed)
If you don't use that address for a mailing list (the most common context for including an opt-out… link?), there would be no need to state how to opt out of such non-existent mailing list. You may wish to state nevertheless that the provided data is being stored according to the regulations of EU directive 2016/679 and they may access, etc. by doing XYZ (probably not needed at all, but your legal department may wish you to include such reminder anyway).
And all of this has no relationship at all with OWASP. The OWASP Top 10 Application Security Risks, published in 2017, were
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
As you see, none of them is relating to opting out. You seem to be confusing two completely different lists of recommendations.