GDPR - Article 17
gives the data subject the Right to erasure (‘right to be forgotten’)
Paragraph 1, sets out the right, along with the valid reasons to request removal. (They are limited)
Paragraph 2, states that where the data is in the public domain, the controller should take "reasonable" steps to inform other data controllers of the request.
Paragraph 3, states the reasons the request for removal can be turned down. (Paragraph 1 and 2 shall not apply)
Section (b) states "for compliance with a legal obligation ..."
Section (e) states "for the establishment, exercise or defence of legal claims".
The biggest impact of the GDPR is that "You should know your data and your processes
" and "You should keep the data safe
GDPR requires you to have a valid reason for keeping and processing data.
If you don't have a valid reason to keep and process data, why are you?