[littlestymaar]

Not erasing your emails after some time (or at least not removing the sender or recipient email address) is also a GDPR violation (because email addresses are personal information).

Source: a privacy compliance lawyer working at a billion dollar European corporation told me that one day.

[bmicraft]

That would make sense only if the owner of that address is not an ongoing customer of yours

[input_sh]

It's for as long as necessary to serve the purpose. If you're brought to court, you could either argue that you still need it for your specific use case, or you can point to some internal procedure to delete stuff that's way past the point of usefulness and say that you're already complying.

And as the parent comment said, you don't really have to delete them at all, keeping some sort of a copy that you ran through some sort of a personal data removal tool also works.

Example: years old closed support tickets, you'll never need to know exactly who made them, but you might wanna reference some info from them.

[dhosek]

But an ongoing customer would have newer emails that don’t get deleted over time.