A perennial topic among the data protection issues is the deletion of personal data. We regularly receive inquiries on this topic. In the following, we would like to answer some of the most frequently asked questions.
When do I have to delete personal data?
There are no rigid retention periods in the GDPR, but the GDPR provides with Art. 17 GDPR a concrete list of reasons which shall obligate the responsible to erase personal data without undue delay.
In principle, personal data shall be deleted where the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed, there is no legal basis for the processing, the data subject withdraws its consent on which the processing is based on, the data subject objects to the processing which is based on Art. 6 (1) lit. e or f GDPR, or the personal data has been unlawfully processed. Exceptions to the deletion obligation can be made in cases of personal data being necessary for the fulfilment of a legal obligation to which the Controller is subject to (legal retention periods) or if the data is required for the establishment, exercise or defense of legal claims.
What does deletion of data mean / What is the scope of deletion?
Deletion means either the physical destruction (e.g. Shredding) or the technical erasure of data (e.g. complete overriding of entire data media). Anonymization of a data record, meaning the modification of personal data in such a way that these data can no longer be attributed to an identified or identifiable natural person, or only with disproportionate expenditure of time and cost, can also be considered as a GDPR-compliant deletion.
Deletion can therefore take place in different ways. The result of the deletion process is decisive -the factual impossibility to perceive the information previously embodied!
Do I have to differentiate between individual data records?
Yes, due to different retention obligations. Data records should in principle be deleted independently of each other. It is therefore necessary to differentiate between individual data records. We recommend to implement a deletion concept, categorizing each personal data and the respective retention periods that apply.
Do I have to proove that I deleted personal data?
We recommend to log destruction or deletion of the data for verification purposes, especially in cases of data subject requests.
Good to know: Data subject requests may be stored for a time period of up to 3 years in order to be able to prove to the supervisory authority that you have complied with the request.
Who is responsible for deletion of personal data?
In general, the Controller of the processing activity is responsible for the deletion of data. We recommend companies to implement automatic deletion procedures and automatic deletion routines in the systems. Please keep in mind that companies may not invoke the fact that deletion is impossible for technical reasons. Companies may only use technology that allows data to be deleted in a manner that complies with data protection regulations by means of appropriate functionalities (principle of privacy by design).
A manual deletion shall be carried out by each department. For example, you can introduce “Cleaning Days “, on which documents, email accounts etc. can be reviewed for ceasing retention periods or omission of the purpose for which the data was collected and personal data be deleted accordingly (e.g. one hour every month on Monday morning).
If data was transferred to a service provider the service provider should be instructed by the Controller to delete the personal data. Checks should be carried out to ensure that the defined deletion deadlines are actually met.