Can an EU employee's GDPR right-to-erasure request force deletion of a work email that US litigation or FOIA rules require us to keep?
Two Legitimate Obligations in Tension
This is a real and common conflict, but in most cases the GDPR right to erasure does not automatically override a US duty to retain. The right to erasure (sometimes called the “right to be forgotten”) is not absolute. The GDPR itself recognizes that erasure does not apply where continued processing is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.
A US litigation hold or a record subject to FOIA, regulatory, or statutory retention requirements is exactly the kind of competing legal obligation that the GDPR carves out. So when a valid hold or retention rule applies, the organization generally has a lawful basis to decline or defer the erasure request for the affected email.
How to Handle the Request
Treat it as a documented decision, not an automatic yes or no.
- Verify the request. Confirm the requester’s identity and which messages are actually in scope.
- Check for legal holds. If the email is under a litigation hold, the duty to preserve takes precedence. Spoliation of evidence carries serious consequences in US courts.
- Check retention requirements. FOIA applies to federal agency records; many other emails are governed by records schedules or industry retention rules.
- Minimize, don’t necessarily delete. Even where you must keep the email, you may be able to honor the spirit of the request by restricting access, limiting further processing, or redacting unrelated personal data.
- Respond and document. GDPR generally requires you to respond to the data subject, including explaining when you cannot fully comply and why.
The Practical Takeaway
The conflict is resolved through governance, not guesswork. A defensible position rests on a clear retention schedule, a reliable legal-hold process, and a documented basis for each decision. When the hold or retention period ends and no other obligation applies, the erasure obligation can then be revisited.
Because facts vary and laws change, coordinate these decisions with legal counsel and your privacy and records functions before acting.
For related guidance on managing messages as records, see email and messaging.
Sources & further reading
Authoritative government and non-profit references.
- FOIA frequently asked questions — FOIA.gov / U.S. DOJ
- The Sedona Conference publications — The Sedona Conference
How to cite this page
APA
RM University Editorial. (2026). Can an EU employee's GDPR right-to-erasure request force deletion of a work email that US litigation or FOIA rules require us to keep?. Records Management University. https://www.recordsmgmt.org/questions/can-an-eu-erasure-request-force-deletion-of-an-email-us-litigation-or-foia-rules-require-keeping/
MLA
RM University Editorial. "Can an EU employee's GDPR right-to-erasure request force deletion of a work email that US litigation or FOIA rules require us to keep?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/can-an-eu-erasure-request-force-deletion-of-an-email-us-litigation-or-foia-rules-require-keeping/.
Related questions
- Are emails between teachers and parents considered education records under FERPA?
- Are emails in my Sent folder and Inbox both records, or just one copy?
- Are emails on my personal phone discoverable in a lawsuit?
- Are ephemeral or disappearing messages legal to use for work, or do they violate recordkeeping rules?
- Are text messages and chat business records?