Summary
Under GDPR, individuals have the right to request the deletion of their personal data. Experts and marketers recommend a nuanced approach regarding competitor emails on suppression lists. Complying with erasure requests is crucial, but a 'legitimate interest' might allow retaining minimal suppression records (email and request date) to prevent future contact, used *only* for that purpose. Domain-level blocking offers a privacy-friendly alternative. Legal counsel is strongly advised to navigate the complexities. Data retention should be transparent, and consider anonymizing data or if there is no business relationship delete it. Maintain a clean list, and treat erasure with the same urgency as removing bounces/complaints.
Key findings
- Right to Erasure: GDPR grants individuals the right to have their personal data erased upon request (right to be forgotten), though not absolute.
- Legitimate Interest Exception: Retaining minimal data for suppression to prevent future contact may be considered a legitimate interest, requiring careful consideration and documentation.
- Domain-Level Suppression: Suppressing entire domains (instead of individual emails) is a privacy-friendly alternative where appropriate.
- Transparency and Consent: Be transparent with users about data retention policies. Ensure you had explicit consent.
- The lawyer is liable: Following the lawyer's advice is important for the company
Key considerations
- Legal Advice: Consult legal counsel to ensure compliance with GDPR and determine the best approach for your specific situation.
- Purpose Limitation: If retaining data, strictly limit its use to suppression only and document the legitimate interest.
- Minimal Data: Retain the bare minimum data necessary for suppression (e.g., email address and date of request).
- Alternative Solutions: Explore alternatives like anonymization or domain-level blocking before retaining personal data.
- No Business Relationship: If no business relationship exists, prioritize deleting the data upon request.
What email marketers say
11 marketer opinions
Under GDPR, individuals have the right to request the deletion of their personal data. However, the consensus among email marketers is nuanced regarding competitor emails on suppression lists. While honoring deletion requests is paramount, retaining minimal suppression records to prevent future contact is often considered a legitimate interest, provided it's used solely for that purpose. Domain-level blocking offers a privacy-friendly alternative to suppressing individual emails. Legal counsel is advisable to navigate the complexities and ensure compliance.
Key opinions
- Right to Erasure: GDPR grants individuals the right to have their personal data deleted upon request (right to be forgotten).
- Legitimate Interest Exception: Maintaining a suppression list to avoid future unwanted contact might be a legitimate interest under GDPR, but this requires careful consideration and legal justification.
- Minimal Data Retention: If retaining data for suppression, keep only the minimal necessary information (e.g., email address and date of request) and use it *only* for suppression purposes.
- Domain-Level Suppression: Consider suppressing entire domains instead of individual email addresses to avoid processing personal data.
- Transparency: Be transparent with users about your data retention policies and the use of suppression lists.
Key considerations
- Legal Advice: Consult with legal counsel to determine the best approach for your specific circumstances and to ensure compliance with GDPR.
- Business Relationship: If there is no business relationship with the individual, it is generally advisable to delete their data upon request.
- Data Breach Risk: Consider the potential consequences of a data breach and whether retaining competitor emails increases your risk.
- Alternative Solutions: Explore alternative solutions such as anonymization or domain-level blocking before retaining personal data.
- Purpose Limitation: Clearly define and document the purpose for retaining data on a suppression list, ensuring it aligns with legitimate interest and is limited to preventing future contact.
Marketer view
Email marketer from Email Geeks says to delete the data if there is no business relationship and someone requests deletion, especially considering potential data breaches.
9 Nov 2021 - Email Geeks
Marketer view
Email marketer from DLA Piper explains that under GDPR, individuals have the right to erasure (the 'right to be forgotten'). This means you must delete their personal data if they request it, provided certain conditions are met. However, a legitimate interest might allow retaining data for suppression purposes to avoid future marketing.
29 Jan 2024 - DLA Piper Privacy Resource Center
What the experts say
5 expert opinions
Experts generally recommend complying with data erasure requests under GDPR. Legal counsel is crucial, as they bear the responsibility for GDPR compliance. A common theme is to consider domain-level suppression as an alternative to storing individual email addresses, balancing the need to prevent future contact with privacy concerns. Promptly removing problematic addresses (bounces, complaints) to maintain sender reputation is also advised.
Key opinions
- Comply with Erasure Requests: The recommended approach is to comply with data erasure requests under GDPR.
- Legal Counsel is Key: Rely on your legal counsel's advice, as they are liable for GDPR compliance.
- Domain-Level Suppression: Suppressing entire domains (instead of individual emails) is a privacy-friendly alternative for legitimate suppression needs.
- Sender Reputation: Quickly remove problematic addresses (bounces, complaints) to maintain sender reputation, treating data deletion requests with similar urgency.
Key considerations
- Legitimate Business Need: Determine if you have a legitimate business need to suppress competitor emails.
- Privacy Implications: Carefully consider the privacy implications of retaining individual email addresses versus using domain-level suppression.
- Balance with Sender Reputation: Weigh the need to suppress against the importance of maintaining a clean and engaged email list for sender reputation.
Expert view
Expert from Word to the Wise recommends that the best approach is to comply with erasure requests. However, if you have a legitimate business need to suppress, suppressing at the domain level could be a good compromise, as it is not tied to a specific individual.
6 Mar 2022 - Word to the Wise
Expert view
Expert from Email Geeks suggests suppressing the entire domain instead of individual email addresses to avoid collecting PII from competitors.
6 Oct 2023 - Email Geeks
What the documentation says
4 technical articles
GDPR documentation outlines the individual's right to erasure, though this right isn't absolute. Exceptions exist, especially when processing is needed for legal obligations or public interest. Legitimate interest, potentially including suppression lists, can be a basis for processing but needs careful balancing against individual rights. Transparency with individuals about data processing is vital.
Key findings
- Right to Erasure: Individuals have the right to have their personal data erased under GDPR.
- Non-Absolute Right: The right to erasure is not absolute and applies in specific circumstances.
- Legitimate Interest: Legitimate interest can be a basis for processing data, including maintaining suppression lists.
- Transparency: Transparency with individuals regarding data processing is essential.
Key considerations
- Legal Basis: Determine if you have a legal obligation or public interest reason to refuse erasure.
- Balance of Interests: Carefully balance your legitimate interest against the individual's rights and freedoms.
- Individual Notification: Ensure individuals are informed about your data processing activities, including the use of suppression lists.
- GDPR Article 17: Review Article 17 of GDPR to understand the conditions for erasure obligations.
Technical article
Documentation from European Data Protection Board shares that the Article 29 Working Party has stated that legitimate interest can be a basis for processing data, including maintaining a suppression list, but it must be carefully balanced against the individual’s rights and freedoms. Transparency is key, and the individual should be informed about this processing.
10 Jul 2021 - European Data Protection Board
Technical article
Documentation from Information Commissioner's Office (ICO) details that individuals have the right to have their personal data erased. However, this right is not absolute and applies in specific circumstances. You can refuse if processing is necessary for compliance with a legal obligation or for reasons of public interest.
13 Aug 2024 - Information Commissioner's Office (ICO)
Are there GDPR concerns related to IP addresses in DMARC reporting?
Can US and European business units share an IP address under GDPR?
Do email marketing opt-outs ever expire?
How should I handle unsubscribe requests for customers with multiple email preferences under one account according to Yahoogle's Feb 2024 requirements?
Is double opt-in a GDPR requirement for UK and EMEA subscribers?
What impact did GDPR have on email marketing?
