I have started to send GDPR art. 17 data deletion requests to some companies using https://yourdigitalrights.org/ . Mostly, to avoid my e-mail leaking in a data breach. However, the template contains a line stating:
Please note that I do not consent to any personal data which is part of this request to be used for any purpose other than fulfilling this request, except in the case of a suppression list, which you may keep in order to ensure that you do not collect any of my personal data in the future.
This means that my e-mail address is still stored (from what I can find sometimes hashed, sometimes in plaintext) in their database. As far as I can find, they are not required to delete it from the suppression list if I ask, but still; isn’t it extremely counter-productive to explicitly state that it’s okay for them to store it in a suppression list (where it can still leak)? Is there any downside to stating in the request that I wish for it to be deleted from there as well?
Companies are still allowed to store data and not delete it depending on the purpose… Being able to demonstrate that they complied with your request by keeping the associated email would be a fair exemple.