What happens when GDPR's right to erasure conflicts with a legal hold or statutory retention requirement in another country?
When a data subject asks an organization to erase their personal data under the EU General Data Protection Regulation (GDPR), that request can collide with an obligation to keep the very same information — for example, a litigation hold or a statutory retention period imposed by another country’s law. These duties pull in opposite directions, and resolving the tension is a core records and information governance (IG) challenge.
The right to erasure is not absolute
GDPR’s right to erasure (often called the “right to be forgotten”) includes built-in exceptions. Erasure generally does not apply where continued processing is necessary to comply with a legal obligation, to establish, exercise, or defend legal claims, or to meet other recognized public-interest grounds. In practice, this means a valid legal hold or a genuine statutory recordkeeping requirement can lawfully override an erasure request — but the organization must be able to document why.
Legal hold and retention usually prevail — when justified
A legal hold suspends routine disposition once litigation or investigation is reasonably anticipated, and preserving relevant evidence is widely treated as a duty that takes precedence over deletion. Similarly, where another jurisdiction’s law mandates that records be kept for a defined period (tax, employment, financial, or sector-specific rules), that obligation typically supports refusing or deferring erasure for the affected data.
The key is scope. The preservation duty should reach only the data and the period actually required. Information outside the hold or beyond the retention obligation should still be erased on the data subject’s request.
How professionals reconcile the conflict
- Map the obligations. Identify every applicable retention rule, hold, and the GDPR basis at stake before responding.
- Apply the narrowest restriction. Use restriction of processing rather than full deletion when records must be retained but no longer actively used.
- Document the decision. Record the legal basis for refusing or delaying erasure; defensibility depends on the rationale.
- Communicate and diary. Tell the data subject why erasure is deferred, and re-evaluate once the hold lifts or the retention period expires, then complete erasure.
Sound cross-border governance treats erasure, holds, and retention as one coordinated lifecycle rather than competing demands. For broader context, see the compliance standards topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- The Sedona Conference publications — The Sedona Conference
How to cite this page
APA
RM University Editorial. (2026). What happens when GDPR's right to erasure conflicts with a legal hold or statutory retention requirement in another country?. Records Management University. https://www.recordsmgmt.org/questions/gdpr-erasure-vs-foreign-legal-hold-or-retention/
MLA
RM University Editorial. "What happens when GDPR's right to erasure conflicts with a legal hold or statutory retention requirement in another country?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/gdpr-erasure-vs-foreign-legal-hold-or-retention/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?