Can you destroy records in one country when GDPR requires deletion but another jurisdiction requires retention?
When the EU’s General Data Protection Regulation (GDPR) calls for erasing personal data while another country’s law requires that the same information be kept, you face a genuine conflict of legal obligations. There is no universal rule that lets one law automatically override the other, so the resolution must come from careful analysis rather than a blanket “delete it” or “keep it” decision.
Start by confirming the obligations are real
Both sides of the conflict deserve scrutiny before you act.
- The deletion demand. GDPR’s right to erasure is not absolute. It contains exceptions, including where processing or retention is necessary to comply with a legal obligation. A retention requirement in another jurisdiction may itself qualify under one of those exceptions.
- The retention demand. Confirm the retaining jurisdiction’s law actually applies to the specific record, who it binds, and for how long. A litigation hold, tax rule, or statutory recordkeeping mandate is a stronger basis than a general “we usually keep this” practice.
Look for a path that honors both
Conflicts are often narrower than they first appear. Practical options include:
- Data minimization. Retain only the specific fields the other law requires and delete the rest. Full erasure and full retention are rarely the only choices.
- Restriction of processing. Lock the data so it is preserved but not actively used, which can satisfy a retention duty while limiting privacy exposure.
- Pseudonymization or segregation. Separate or mask identifiers so the retained record meets the legal need without keeping more personal data than necessary.
Document the decision and get the right counsel
Where a true conflict remains, treat it as a legal and risk question, not a purely technical one.
- Involve legal counsel and your data protection officer before destroying or retaining contested records.
- Record your reasoning, the laws weighed, and the option chosen so the decision is defensible later.
- Build the outcome into your retention schedule so similar cases are handled consistently rather than re-litigated each time.
A disciplined records program treats these cross-border conflicts as a recurring design problem to be governed, not a one-off emergency. For more foundational guidance, see the federal records topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Can you destroy records in one country when GDPR requires deletion but another jurisdiction requires retention?. Records Management University. https://www.recordsmgmt.org/questions/gdpr-deletion-vs-foreign-retention-requirement-conflict/
MLA
RM University Editorial. "Can you destroy records in one country when GDPR requires deletion but another jurisdiction requires retention?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/gdpr-deletion-vs-foreign-retention-requirement-conflict/.
Related questions
- Are records created by federal contractors considered federal records?
- Big-bucket vs item-level retention schedules: how do I decide which approach to use?
- Can a federal employee be personally fined or jailed for deleting government records?
- Can federal employees conduct official business on personal devices or apps?
- Can I delete old federal records to free up storage space when our shared drive gets full?