What is the right to erasure (“right to be forgotten”)?;

The right to erasure (commonly called the "right to be forgotten") under GDPR Article 17 allows individuals to request deletion of their personal data in certain circumstances. These include: when the data is no longer necessary for its original purpose; when consent is withdrawn (if consent was the legal basis for processing); when the individual objects to processing and there are no overriding legitimate grounds; when data was unlawfully processed; when erasure is required for legal compliance; or when data was collected from children. For email marketing, this means subscribers can request complete deletion of their data from your systems.

The right to erasure is not absolute-it has important exceptions. You can retain data when processing is necessary for exercising the right of freedom of expression, for compliance with legal obligations, for public health purposes, for archiving in the public interest, or for establishing, exercising, or defending legal claims. For email marketers, the key exception involves suppression records: you may retain minimal data necessary to honor an unsubscribe request (the email address on a suppression list) even after an erasure request, because this retention is necessary to comply with anti-spam regulations.

When processing erasure requests, ensure comprehensive deletion across all systems-ESP, CRM, analytics, backups, and any third parties with whom you've shared data. Notify third parties of the erasure requirement. Respond within one month, explaining what data was deleted and what (if anything) was retained and why. For retained suppression records, minimize the data to only what's necessary for the suppression function. The right to erasure lets people withdraw from your data ecosystem-honor it completely except where law requires or permits limited retention.