[Xylakant]

The GDPR does not require deletion of all user data on request. There’s still data that can and must be preserved, for example business records, thus records of sale. A recall should be possible with those records. The customer might request that these records cannot be used for unrelated purposes, though.

[drraid0]

What if the user requests to be put on a do-not-send list (for email newsletters, etc)? Is that data that can and must be preserved?

[Xylakant]

You’re generally allowed to keep data that is required to provide a service. So in my understanding, yes, if you provide such a service and the user requests that, you should generally be allowed to keep that info _for exactly that purpose_ You can’t use it for anything else though.