How does the GDPR right to be forgotten conflict with records retention requirements?
The “right to be forgotten” (more precisely, the right to erasure under the EU General Data Protection Regulation) lets individuals ask an organization to delete their personal data. Records retention rules, by contrast, often require organizations to keep certain records for a defined period. When the same data is subject to both, the two obligations can pull in opposite directions.
Where the conflict arises
A person may request erasure of their personal data, but that data may sit inside a record the organization is legally required to retain, such as a financial, tax, employment, or contractual record. You cannot simultaneously delete a record and preserve it. The conflict is most acute when personal data is embedded within records that also serve compliance, accountability, or evidentiary purposes.
Why it is usually resolvable
In practice, the right to erasure is not absolute. The GDPR itself recognizes exceptions, and a common one is when processing is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims. Where a genuine retention requirement applies, that obligation can override an erasure request for the data covered by it. The key is being able to demonstrate a specific, lawful basis for continued retention rather than keeping data simply by default.
How organizations reconcile the two
- Maintain a retention schedule. Document what must be kept, for how long, and under what authority, so retention claims are defensible rather than assumed.
- Apply data minimization. Keep only the personal data actually needed for the retention purpose; erase or anonymize the rest.
- Distinguish records from convenience copies. Erasure can often proceed for duplicates, backups, and non-record data even when the official record must stay.
- Use anonymization or pseudonymization. Once data can no longer identify a person, it generally falls outside the scope of personal-data rules while still serving statistical or archival needs.
- Log and respond to requests. Track each erasure request and document the legal grounds when you decline or partially fulfill it.
The bottom line
The right to be forgotten and retention requirements coexist when an organization can clearly justify why specific data is retained. Sound records management, supported by a current retention schedule and disciplined minimization, turns an apparent conflict into a documented, defensible decision. For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How does the GDPR right to be forgotten conflict with records retention requirements?. Records Management University. https://www.recordsmgmt.org/questions/gdpr-right-to-be-forgotten-vs-records-retention/
MLA
RM University Editorial. "How does the GDPR right to be forgotten conflict with records retention requirements?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/gdpr-right-to-be-forgotten-vs-records-retention/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?