No.

Although the GDPR indicates that people have a “right to be forgotten,” that right is not absolute.  Rather, it exists only where one of the following six limited situations applies:

1. Companies must delete data upon request if data is no longer necessary.  If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.¹ In the context of an email address that is being maintained on an unsubscribe or “do not email” list, a company could argue that the continued maintenance of the data is “necessary” in relation to the purpose for which it was collected (i.e., to ensure that a data subject does not inadvertently receive marketing communications).
2. Companies must delete data upon request if the data was processed based solely on consent.  The GDPR recognizes that companies may process data based on six alternate lawful grounds.² One of these is where a person has “given consent” to the processing for a specific purpose.³  If a company’s sole basis for processing data is the consent of an individual, the company is typically required to honor a right to be forgotten request, which might, for all practical purposes, be viewed as a revocation of that consent.  Conversely, if processing is based on an additional permissible purpose (g., performance of a contract), the right to be forgotten request does not necessarily have to be granted.  In the context of an email address that is included in an unsubscribe list, most companies would not base the maintenance of that list on “consent.”  To the extent that the company is obligated under European law to keep a list of individuals that have objected to receiving marketing communications, the maintenance of that list would be based upon the lawful purpose of complying with European law.  To the extent that the company is obligated under a non-European law (e.g., the CAN SPAM Act) to keep a list of individuals that have objected to receiving marketing communications, the maintenance of that list would be based upon the legitimate interest of the company to comply with a foreign law.
3. Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.  As indicated in the previous paragraph, another grounds upon which a company can process data is to further the company’s “legitimate interest.”  When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”⁴ So, for example, if a company uses an individual’s email address for direct marketing, and the individual requests that his information be deleted (but does not specifically request that the company stop marketing to him), the company may have to honor that request as it would be difficult for it to demonstrate that its interest in direct marketing overrides the individual’s interest in having his information erased (this assumes, of course, that the company based direct marketing upon legitimate interest and not upon consent).  Conversely, however, if an individual requests that his information be deleted and that the company stop marketing to him in the future, the company may have to refuse deleting the consumer’s information from its unsubscribe list in order to further the company’s legitimate interest in following international law that prohibit marketing to individuals that have “opted-out.”  The refusal would arguably not be overridden by the data subject’s interest in the deletion as the refusal may be the only way of ensuring that the data subject’s request not to receive future marketing communications be honored. 
4. Companies must delete data upon request if data is being processed unlawfully.  The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.⁵ To the extent that a company is maintaining a data subject’s information on an unsubscribe list, there would be little argument that the data is being processed unlawfully.
5. Companies must delete data upon request if erasure is already required by law.  The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”⁶ In the context of an individual that has asked to be opted out from marketing, it is unlikely that any Member State requires the deletion of information from an unsubscribe list.
6. Companies must delete data upon request if it is collected from a child as part of offering an information society service.  The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.⁷ This may have little, if any, applicability in the context of the maintenance of an unsubscribe list. 

The net result is that if a company receives a request to delete a data subject’s information and a request that the company no longer market to the data subject, to the extent that the company needs to keep the data subject’s information in an unsubscribe list in order to ensure that they are no longer marketed to, they are permitted to do so under the GDPR. 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. GDPR, Article 17(1)(a).

2. GDPR, Article 6(1)(a)-(f).

3. GDPR, Article 6(1)(a).

4. GDPR, Article 17(1)(c).

5. GDPR, Article 17(1)(d).

6. GDPR, Article 17(1)(e).

7. GDPR, Article 17(1)(f); Article 8(1).

[View source.]