Obligation to Delete vs. Burden of Proof
In practice, CSA senders and their customers are faced with the problem that a recipient of an email (= data subject) can demand the deletion of their data, while at the same time the possibility exists that proof of the data subject’s previous consent may need to be produced at some stage in the future. Such a situation might arise if the data subject seeks legal redress directly or through associations that are authorized to institute legal proceedings, if the data protection authorities are involved, or in connection with participation in the CSA. If all data of the data subject were to be deleted, the required proof of consent can necessarily no longer be produced.
It is beyond dispute that there is fundamental tension between a data controller‘s obligation to delete and the burden of proof of a sender for consent data. So, what must and can a sender or the customer do? The following information based on the General Data Protection Regulation (GDPR) is designed to give practical orientation.