When someone makes a GDPR erasure or objection request, many businesses assume they need to delete everything — including the request itself. But that can actually lead to a GDPR violation.
Here’s why:
❗The Problem:
If you fully delete a data subject’s personal data and their deletion/objection request, you risk accidentally collecting or processing their data again in the future — which is exactly what happened in a real-world case where a company re-collected personal data after deletion, thinking they were compliant. The result? The Data Protection Authority ruled against them for unlawful processing.
✅ The Solution: Keep a Suppression List
To comply with GDPR and avoid re-collecting deleted data:
- Keep a minimal record of the person’s erasure or objection request.
- This is often called a “suppression list” or “do-not-contact list.”
- Only store what’s strictly necessary (e.g., a hashed email or identifier).
- Use it only to prevent future processing — not for marketing or profiling.
🔒 Isn’t That a GDPR Violation?
No. GDPR allows you to keep minimal data if:
- It serves a legitimate interest, like avoiding further contact.
- It’s necessary to comply with legal obligations.
- You follow data minimization and purpose limitation principles.
📌 Best Practice:
- Log the objection/deletion request securely.
- Block future processing attempts using suppression logic.
- Avoid full “hard deletes” that wipe all history of the request.