GDPR and Data Suppression

Organisations should maintain a ‘suppression list’ of people who have opted out or otherwise told that organisation directly that they do not want to receive marketing. Note that individuals may ask an organisation to remove or delete their details from a database or marketing list. However, in most cases organisations should instead follow the marketing industry practice of suppressing their details.

Rather than deleting an individual’s details entirely, suppression involves retaining just enough information to ensure that their preferences are respected in the future. Suppression allows organisations to ensure that they do not send marketing to people who have previously asked them not to, as there is a record against which to screen any new marketing lists. If people’s details are deleted entirely, there is no way of ensuring that they are not put back on the database. Deleting details might also breach industry-specific legal requirements about how long to hold personal data.

Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the GDPR, and will also breach e-Privacy Directive if the contact is by phone, text or email.

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.