How to handle requests for deletion vs suppression?

The distinction between deletion and suppression is crucial for email marketers navigating data subject requests. When someone unsubscribes from marketing emails, they're requesting suppression. They uwant you to stop sending to them, which requires keeping their address on a suppression list. When someone requests erasure under GDPR's right to be forgotten, they're requesting deletion-removal of their personal data from your systems. These are different requests with different implications.

The tension between deletion and suppression creates a practical challenge: if you completely delete someone's email address, you might accidentally re-add them later through list imports or sync processes, thereby violating their original opt-out request. Regulators generally recognize this paradox and accept that minimal suppression data can be retained even after an erasure request. Your suppression record should contain only the email address (potentially hashed), the date of suppression, and the reason-nothing more.

When processing requests, clarify the intent if ambiguous. Someone who says "delete my data" might mean "stop emailing me" (suppression) or might genuinely want erasure. If they request full erasure, explain that you'll delete their personal data but retain their email address on a suppression list to ensure they're not contacted again-most people find this reasonable when explained. If they insist on complete deletion including suppression, honor that request but document it clearly, as you won't be able to prevent future accidental re-addition. Deletion and suppression serve different purposes-deletion removes data, suppression prevents contact. For email marketing, you often need suppression even when you've completed deletion.