May an organization keep personal data pseudonymized after an erasure request?

In a ruling of Jan. 7, 2026, the Brussels Market Court nuanced the rules regarding the ‘right to oblivion’ (right to data erasure). The key question was whether a debt collection agency is obliged to erase all data of a wrongfully contacted person, or whether the agency may keep certain data pseudonymized to prevent the person from being wrongly contacted again in the future. The Court held that keeping minimal data to prevent future errors may be justified under an exception in the General Data Protection Regulation (GDPR).

The facts and background

The case revolves around a collection agency that acts for creditors. In 2017, a consumer (the plaintiff) received a reminder for an invoice that had, however, already been waived due to an error. The complainant then requested the erasure of his personal data.

The collection agency confirmed the erasure, but due to human error, the data was later re-entered and the complainant again received unwarranted payment requests in 2018. After complaining to the Data Protection Authority (DPA), the agency adjusted its procedures. Instead of complete deletion, the agency chose to pseudonymize the data. This left limited data (city, customer reference, invoice number) in a sort of “blocking list” to prevent accidental re-creation of the file.

The DPA Litigation Chamber initially ruled in a decision dated June 5, 2025 (91/2025) that this was a violation of Article 17 GDPR (right to data erasure) and still ordered the complete destruction of the data. The collection agency appealed this to the Market Court.

Market Court decision

The Market Court overturned the DPA's decision and ruled in favor of the collection agency.

The Court first confirmed, citing EU Court of Justice case law, that pseudonymized data is still personal data. As long as the organization has the means to reconnect the data to a person (re-identification), the GDPR applies. Because the debt collection agency possessed the key to re-identification, the data in principle remained personal data covered by the right to erasure.

However, the Court then ruled that the collection agency was justified in relying on an exception in the GDPR, namely Article 17.3(b). This article provides that data need not be deleted if the processing is necessary to comply with a legal obligation.

The Court reasoned as follows:

• The purpose of keeping the limited dataset was to avoid future violations of the GDPR (such as wrongfully writing to the complainant again).
• Complete deletion would carry the risk that if a new (erroneous) order were placed by a customer, the complainant would be harassed again.
• The impact of unjustified reminders on the data subject outweighs the impact of keeping data pseudonymized in a ‘blacklist.

Legal analysis and interpretation

This ruling provides an essential clarification for data protection practice in Belgium. The Market Court here applies the proportionality principle within the strict framework of Article 17 GDPR.

Pseudonymization is not anonymization

The ruling reaffirms the recent line taken by the European Court of Justice (Case C-413/23 P, EDPS) that pseudonymization is not a “safe harbor” that places data outside the GDPR. If the data controller has additional data that enables identity identification, it remains personal data. Thus, organizations cannot simply evade obligations by encrypting data if they themselves hold the key.

The legal processing obligation as a safety net (Art. 17.3 GDPR)

The innovative aspect of this ruling is the application of Article 17.3(b) GDPR. The Court implicitly recognizes that an organization may (and sometimes must) maintain a “negative list” to protect the data subject's rights in the future. Paradoxically, certain records must be retained to ensure the privacy and peace of mind of the data subject. This is seen as part of the legal obligation to handle personal data carefully and prevent unlawful processing (such as wrongful collection).

The Market Court corrected the DPA, which had argued that this exception had not been invoked. The court held with full jurisdiction that the agency's defense did show factually why detention was necessary, even though the section of the law was not explicitly mentioned at first.

What this specifically means

This ruling has implications for several industries, particularly debt collection, marketing and fraud prevention.

• For companies and data controllers: You are not always required to blindly destroy all data in the case of a “right to be forgotten.” If deleting data would lead to a risk that you might inadvertently re-engage the data subject later (for example, in marketing do-not-contact lists or disputed debts), you may keep minimal data. Just make sure this data is strictly pseudonymized and used only for that purpose.
• For the Data Protection Officer (DPO): Clearly document why certain data is retained after an erasure request. The argument should be that it is necessary to prevent future breaches or errors (compliance).
• For consumers: Your right to erasure is not absolute. A company may refuse to erase your data completely if it is necessary to ensure that you are not harassed in the future. This is in your best interest.

Frequently Asked Questions (FAQ)

Is pseudonymized data the same as anonymous data?
No. With anonymous data, the person is irreducible and the GDPR no longer applies. With pseudonymized data, the data is encrypted, but the organization can still find out who it is with a ‘key’ (additional data). Therefore, the GDPR continues to apply.

Can a company refuse to delete my data if I request it?
Yes, in specific cases. Article 17.3 GDPR provides exceptions, for example when the processing is necessary to comply with a legal obligation, for the public interest, or for the institution of legal proceedings.

Why did the judge rule that data retention was better in this case?
The court ruled that complete erasure risked the consumer being wrongly written to again due to a mistake on the part of the principal. By keeping minimal data on a blocking list, the collection agency can immediately filter and stop future erroneous files.

Conclusion

The Market Court ruling of Jan. 7, 2026, shows that the GDPR is not black and white. The right to be forgotten must give way when the retention of limited data is necessary precisely to prevent further breaches of privacy. For organizations, this is confirmation that maintaining ‘suppression lists’ or blocking lists is legally defensible, if properly substantiated.