A data deletion framework refers to a structured set of guidelines and procedures governing an organization’s adherence to deletion obligations according to data protection and statutory laws, as well as its processes for managing and executing the deletion of personal data.
Essentially, a data deletion framework entails the systematic classification of personal data along with corresponding retention periods. It should represent a lucid and all-encompassing strategy outlining how the organization intends to identify, classify, and expunge personal data in accordance with the stipulations of the General Data Protection Regulation (GDPR) as well as national laws. Rather than being an extensive document, a data deletion framework presents an overarching view of all processing activities of the individual departments related to the processing of personal data and serves as the practical implementation of deletion routines, which are uniquely developed to fit the specific requirements and circumstances of a particular organization, taking into account the pre-existing procedures, systems, and processes inherent to the organization.
In the course of developing a data deletion framework, the following steps must be duly considered:
1. Comprehend the legal obligations
In formulating a data deletion strategy, it is imperative firstly to diligently consider both national and European/International legal frameworks depending on the scope of the deletion framework.
The GDPR does not proffer fixed retention periods, yet it proclaims that personal data shall be deleted when it is no longer necessary in relation to the purposes for which it was initially collected according to the storage limitation principle (Art. 5 para. 1 lit. e GDPR). In addition, pursuant to Article 5 para. 1 lit. d of the GDPR, personal data must be deleted if it is found to be inaccurate and cannot be rectified. What is more, the concept of deletion is enshrined in Art. 17 of the GDPR. Deletion is warranted when there is no legal basis for processing, when a data subject withdraws consent underpinning processing, when a data subject lodges objections against processing, or when personal data has been unlawfully processed. Exceptions to these deletion criteria are outlined in Article 17, para. 3 of the GDPR. In compliance with this article, exceptions to the obligation to delete data can be invoked in cases where personal data is imperative for the fulfillment of legal obligations e.g., encompassing stipulated legal retention periods, or when the data is indispensable for asserting, exercising, or safeguarding legal claims, etc.
Beyond the GDPR, national legislation similarly imposes obligations regarding data deletion. For certain data categories, such as tax-related and payroll data, specific national laws delineate precise retention periods e.g., § 147 Abs. 1 Abgabenordnung regulates the retention period for tax documents in Germany. In instances where no such statutory provisions exist, consideration must be given to limitation periods for potential legal claims. For example, unsuccessful job applicants’ application documents are retained for a specified duration (e.g., six months in Germany) to enable the company to defend against potential legal claims, particularly those related to discrimination in the application process, as per the General Equal Treatment Act (AGG).
2. Identification of data sources and storage systems
The second step entails the identification of the systems where personal data is stored which encompasses internal folders, software repositories, and external storage devices like USB drives. It is imperative to distinguish between global and local systems, aligning this separation with the intended scope of the forthcoming deletion framework.
3. Identification of the Data Types
The third step involves the comprehensive identification of personal data gathered and processed within each department of the organization, encompassing data in both electronic and physical formats. Once each department’s collected data types are discerned e.g., CVs, invoices, pay slips, and meeting notes – these can be grouped into broader data categories e.g. personnel data, accounting data, invoice data. Data intended for a unified purpose, stored in the same data repository, and having the same retention period could form a data category.
4. Determination of Applicable Retention Periods
Upon the identification of the personal data processed, it becomes crucial to rigorously ascertain the retention periods prescribed by the applicable law. This determination involves assessing whether the personal data remains necessary for the original purpose of collection, verifying if the data subjects have revoked their consent, and establishing any legal obligations dictating data retention.
Key questions to facilitate this determination include the following:
- Why is the personal data being processed?
- What is the duration required to fulfill the purpose of processing?
- Has the purpose been achieved?
- Do compelling justifications for prolonged data retention exist?
Furthermore, it is essential to consider local statutory regulations that may specify distinct retention periods for specific data categories. Subsequently, this step entails as well an examination of the existing retention periods for data collected by the organization, as well as the necessity to establish new retention periods. Equally crucial is the removal of data that is unequivocally no longer required, such as data pertaining to former employees.
5. Documentation of deletion
The capability to furnish evidence of data deletion to the supervisory authority is of utmost importance. The question of how to effectively document the deletion of personal data arises. It is advisable to maintain a standardized deletion log, which meticulously records the instances of data deletion. This uniform documentation serves the dual purpose of reducing redundancies and expediting the removal of superfluous data.
6. Implementation of Technical and Organizational Measures
Efforts must be made to implement technical and organizational measures that guarantee the secure and timely deletion of personal data. This encompasses providing comprehensive training to personnel with regard to GDPR requirements, implementing access controls for personal data, and ensuring the secure and irretrievable deletion of personal data.
7. Regular Review and Update of the Deletion Framework
To ensure ongoing compliance with GDPR requirements, it is incumbent upon the organization to periodically review and update its deletion concept. This process includes revisiting the personal data held by the organization and making necessary amendments to the deletion criteria.
The development of a deletion framework is pivotal in ensuring that organizations are in compliance with data protection and statutory law requirements. By diligently adhering to the steps delineated above, a clear and comprehensive concept can be formulated, which mitigates risks for non-compliance for organizations. Proactive management of the removal of outdated datasets ensures compliance, upholds the privacy rights of individuals, and assures the secure and timely deletion of personal data.