(no title)

GDPR forces you to be able to articulate why you collect or process regulated personal data.

If you provide a service that collects or processes data for fair and transparent purposes, you'll be ok.

Under Article 17, the right of erasure, you're only obligated to delete upon request of the data subject, and only in certain circumstances, the most common being:

- If the data are no longer necessary for the purposes for which they were collected

- If the legal basis for the processing was based solely on consent and no other legal basis exists

- If the processing was based on the balancing test of your "legitimate interests" outweighing the data subject's interests or fundamental rights and freedoms (such as for security or availability), the data subject objects, and your interests don't override theirs

- If you are processing for direct marketing and the data subjects at all

If you're a SaaS provider and they are necessary to meet your availability commitments to your customers, and you can document that necessity, then you're probably going to be able to retain them even if the data subject objects. Data subjects rights are not absolute.

If you're retaining the data for marketing, or based on consent alone, you're going to have to delete them or have a very good excuse for not doing so. If you don't have a great reason, you should probably delete them anyways, or better yet avoid collecting the data in the first place ('data minimization,' Article 5(1)(c)).