How do I keep digitised records compliant when GDPR forces deletion but another country's law requires me to retain the same scan?
When a privacy law such as the GDPR grants an individual the right to erasure, but a different jurisdiction’s law compels you to retain the same scanned document, you are facing a genuine conflict of legal obligations. The goal is not to “win” one law over the other, but to document a defensible, principle-based decision that respects both as far as possible.
Start by mapping the obligations
- Identify exactly which record is in scope, where the data subject is, and which laws apply to your organisation and to that record.
- Confirm the retention requirement is real and mandatory (a statute or regulator-imposed duty), not merely a habit or convenience.
- Note that most erasure rights are not absolute. They typically include an exception where processing or retention is required to comply with a legal obligation.
Apply the exception, narrowly
If a binding law requires you to keep the scan, that retention obligation usually qualifies as a lawful basis to refuse or defer erasure for that specific record. Document the legal basis, the conflicting requirement, and the reasoning. Then minimise:
- Retain only what the retaining law actually requires, not the entire file.
- Restrict access so the record is used only for the compliance purpose that justifies keeping it.
- Apply a defined retention period and dispose of the record when that obligation ends.
Make the decision defensible
Good records management treats this as a controlled exception, not an ad hoc choice:
- Record the conflict assessment in your retention schedule and disposition log.
- Inform the data subject why erasure cannot be completed, citing the overriding obligation.
- Apply data-minimisation and access controls as ongoing safeguards while the record is held.
Get specialist input
Cross-border conflicts of law are fact-specific. Consult qualified legal counsel and your data protection officer before acting, and align your approach with recognised records and privacy frameworks so your reasoning is consistent and auditable.
For broader guidance on managing scanned and born-digital records, see the digitization and imaging hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). How do I keep digitised records compliant when GDPR forces deletion but another country's law requires me to retain the same scan?. Records Management University. https://www.recordsmgmt.org/questions/reconcile-gdpr-deletion-with-foreign-retention-for-same-digitised-record/
MLA
RM University Editorial. "How do I keep digitised records compliant when GDPR forces deletion but another country's law requires me to retain the same scan?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/reconcile-gdpr-deletion-with-foreign-retention-for-same-digitised-record/.
Related questions
- Are Microsoft Copilot and ChatGPT outputs considered records, and how do you capture them?
- Are scanned copies legally admissible in the UK under the BS 10008 standard the same way they are in the US?
- Are scanned copies of documents admissible to the SEC and FINRA, and do broker-dealers still need WORM storage after digitizing?
- Are scanned documents legally admissible in court?
- Are there industries where scanning and shredding originals is prohibited by law?