Data protection requirements for erasure concepts
The General Data Protection Regulation (GDPR) imposes strict requirements on the processing of personal data. As a rule, these requirements are primarily associated with the collection and storage of personal data. However, the fact that they also apply to, and even oblige, the erasure of legacy data is often overlooked and still not taken into account in corporate practice. In this context, the blocking and erasure of personal data are also the subject of audits and complaints by supervisory authorities and can lead to significant fines in the event of violations, as evidenced, for example, by fines of EUR 400,000 imposed by the French data protection supervisory authority CNIL and EUR 160,000 imposed by the Danish data protection supervisory authority. Due to simultaneously existing statutory retention periods and the punishability of illegal erasure of data, the proper erasure of data is an extremely complex matter for many companies. It is therefore all the more important to develop an erasure concept tailored to the company in order to cope with the requirements for the regular erasure of data in compliance with the GDPR.
What is an erasure concept?
The obligation not to store personal data beyond the achievement of the purpose follows from the synopsis of the principle of storage limitation in Article 5(1)e GDPR and the limitation of the purpose of processing in Article 5(1)b GDPR. Personal data should only be kept for as long as is necessary to achieve the respective purpose of the processing. To ensure this, the stored data must be regularly checked to determine whether they are still required to achieve the purpose and, if necessary, erased.
An erasure concept defines the rules for the regular erasure of personal data by the controller. It must be taken into account that an erasure concept is as individual as each individual company, as even small deviations in processing can lead to different erasure periods. A precise analysis of the respective processing operations and the categories of personal data processed is therefore essential when creating an erasure concept.
Steps for the development of an erasure concept
Despite the required individual approach to the creation of the concept, some steps can be enumerated that are relevant in the development of any erasure concept:
1. Identification of the personal data to be deleted
For this purpose, so-called "data types", such as master personnel data or contractual data, should first be filtered out. The purpose of the data processing can be used as a guideline. These data types are then assigned "data objects" such as, in the example of master personnel data: the personnel number, the first and last name, the date of birth, etc.
2. Identify the IT systems holding data and the data flows between them
In order to delete personal data sensibly and without harm to the company, both steps are essential, because only if the company knows where the data are located, which systems use the data and what interdependencies exist, can the data be reliably erased.
3. Definition of parameters for the respective erasure periods
This represents a core element in the creation of an erasure concept. In addition to the purpose of the data collection and, if applicable, alternative purposes, legal retention obligations as in § 147 of the German Tax Code (AO) and § 257 of the German Commercial Code (HGB) as well as retention rights (limitation periods for warranty claims, IT security measures such as back-ups, etc.) must be taken into account. It is crucial to find the right granularity. Here, too rough a grid should not be used, because the erasure requirement always refers to a specific date. Accordingly, the Dresden Higher Regional Court recently ruled in its ruling of 14 December 2021 that within the framework of the retention obligations, the matter should not be linked to the documents themselves (with all the data contained therein) but rather to the individual data in question. Therefore, in the opinion of the Court, within one and the same document, for example, the data not covered by a retention obligation must be erased, while the other data must be retained.
4. Determination of responsibilities in the erasure process
Here, a role and rights concept is useful to define in an organisational process the person responsible for checking, ordering and carrying out the erasure.
5. Technical implementation of the erasure concept
The technical implementation impacts the erasure concept because regular erasure allows clustering of erasure processes. If erasure processes cannot be carried out with reasonable deadline accuracy, it must be determined to what extent there is maneuvering room. Back-ups must also be included in the technical implementation of the erasure concept.
Requirements for the erasure itself
Last but not least, there is the question of when data is "erased" in the terms of the GDPR. The concept of erasure is not defined in the GDPR itself. From a legal perspective, however, erasure means "permanently rendering stored personal data unrecognisable by means of appropriate processes". It is important to note in this context that once such information has been rendered unrecognisable, it is no longer possible for anyone to recover the information in question without disproportionate effort, and that the procedure used for erasure is irreversible.
The proper and regular erasure of data, like the lawful collection and storage of data, is part of data processing in compliance with the law. It is precisely the principles for processing personal data set out in Article 5 GDPR, such as purpose limitation, data minimisation and storage limitation, that make the erasure of data that are not (or no longer) required a core obligation of the controller. In order to avoid being targeted by data protection supervisory authorities, companies should therefore develop an erasure concept tailored to their individual processing operations and integrate it into their processes.