Data pro­tec­tion requi­re­ments for era­su­re concepts

The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) impo­ses strict requi­re­ments on the pro­ces­sing of per­so­nal data. As a rule, the­se requi­re­ments are pri­ma­ri­ly asso­cia­ted with the collec­tion and sto­rage of per­so­nal data. Howe­ver, the fact that they also app­ly to, and even obli­ge, the era­su­re of lega­cy data is often over­loo­ked and still not taken into account in cor­po­ra­te prac­ti­ce. In this con­text, the blo­cking and era­su­re of per­so­nal data are also the sub­ject of audits and com­p­laints by super­vi­so­ry aut­ho­ri­ties and can lead to signi­fi­cant fines in the event of vio­la­ti­ons, as evi­den­ced, for examp­le, by fines of EUR 400,000 impo­sed by the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty CNIL and EUR 160,000 impo­sed by the Danish data pro­tec­tion super­vi­so­ry aut­ho­ri­ty. Due to simul­ta­ne­ous­ly exis­ting sta­tu­to­ry reten­ti­on peri­ods and the punis­ha­bi­li­ty of ille­gal era­su­re of data, the pro­per era­su­re of data is an extre­me­ly com­plex mat­ter for many com­pa­nies. It is the­re­fo­re all the more important to deve­lop an era­su­re con­cept tailo­red to the com­pa­ny in order to cope with the requi­re­ments for the regu­lar era­su­re of data in com­pli­an­ce with the GDPR.

What is an era­su­re concept?

The obli­ga­ti­on not to store per­so­nal data bey­ond the achie­ve­ment of the pur­po­se fol­lows from the syn­op­sis of the princip­le of sto­rage limi­ta­ti­on in Arti­cle 5(1)e GDPR and the limi­ta­ti­on of the pur­po­se of pro­ces­sing in Arti­cle 5(1)b GDPR. Per­so­nal data should only be kept for as long as is necessa­ry to achie­ve the respec­ti­ve pur­po­se of the pro­ces­sing. To ensu­re this, the stored data must be regu­lar­ly che­cked to deter­mi­ne whe­ther they are still requi­red to achie­ve the pur­po­se and, if necessa­ry, erased.

An era­su­re con­cept defi­nes the rules for the regu­lar era­su­re of per­so­nal data by the con­trol­ler. It must be taken into account that an era­su­re con­cept is as indi­vi­du­al as each indi­vi­du­al com­pa­ny, as even small devia­ti­ons in pro­ces­sing can lead to dif­fe­rent era­su­re peri­ods. A pre­cise ana­ly­sis of the respec­ti­ve pro­ces­sing ope­ra­ti­ons and the cate­go­ries of per­so­nal data pro­ces­sed is the­re­fo­re essen­ti­al when crea­ting an era­su­re concept.

Steps for the deve­lo­p­ment of an era­su­re concept

Des­pi­te the requi­red indi­vi­du­al approach to the crea­ti­on of the con­cept, some steps can be enu­me­ra­ted that are rele­vant in the deve­lo­p­ment of any era­su­re concept:

1. Iden­ti­fi­ca­ti­on of the per­so­nal data to be deleted

For this pur­po­se, so-called “data types”, such as mas­ter per­son­nel data or con­trac­tu­al data, should first be fil­te­red out. The pur­po­se of the data pro­ces­sing can be used as a gui­de­li­ne. The­se data types are then assi­gned “data objects” such as, in the examp­le of mas­ter per­son­nel data: the per­son­nel num­ber, the first and last name, the date of birth, etc.

2. Iden­ti­fy the IT sys­tems hol­ding data and the data flows bet­ween them

In order to dele­te per­so­nal data sen­si­b­ly and without harm to the com­pa­ny, both steps are essen­ti­al, becau­se only if the com­pa­ny knows whe­re the data are loca­ted, which sys­tems use the data and what inter­de­pen­den­ci­es exist, can the data be reli­ab­ly erased.

3. Defi­ni­ti­on of para­me­ters for the respec­ti­ve era­su­re periods

This repres­ents a core ele­ment in the crea­ti­on of an era­su­re con­cept. In addi­ti­on to the pur­po­se of the data collec­tion and, if app­li­ca­ble, alter­na­ti­ve pur­po­ses, legal reten­ti­on obli­ga­ti­ons as in § 147 of the Ger­man Tax Code (AO) and § 257 of the Ger­man Com­mer­cial Code (HGB) as well as reten­ti­on rights (limi­ta­ti­on peri­ods for war­ran­ty claims, IT secu­ri­ty mea­su­res such as back-ups, etc.) must be taken into account. It is cru­cial to find the right gra­nu­la­ri­ty. Here, too rough a grid should not be used, becau­se the era­su­re requi­re­ment always refers to a spe­ci­fic date. Accord­in­gly, the Dres­den Hig­her Regio­nal Court recent­ly ruled in its ruling of 14 Decem­ber 2021 that wit­hin the frame­work of the reten­ti­on obli­ga­ti­ons, the mat­ter should not be lin­ked to the docu­ments them­sel­ves (with all the data con­tai­ned the­r­ein) but rather to the indi­vi­du­al data in ques­ti­on. The­re­fo­re, in the opi­ni­on of the Court, wit­hin one and the same docu­ment, for examp­le, the data not cove­r­ed by a reten­ti­on obli­ga­ti­on must be era­sed, while the other data must be retained. 

4. Deter­mi­na­ti­on of respon­si­bi­li­ties in the era­su­re process

Here, a role and rights con­cept is use­ful to defi­ne in an orga­ni­sa­tio­nal pro­cess the per­son respon­si­ble for che­cking, orde­ring and car­ry­ing out the erasure.

5. Tech­ni­cal imple­men­ta­ti­on of the era­su­re concept

The tech­ni­cal imple­men­ta­ti­on impacts the era­su­re con­cept becau­se regu­lar era­su­re allows clus­te­ring of era­su­re pro­ces­ses. If era­su­re pro­ces­ses can­not be car­ri­ed out with rea­son­ab­le dead­line accu­ra­cy, it must be deter­mi­ned to what extent the­re is maneu­vering room. Back-ups must also be inclu­ded in the tech­ni­cal imple­men­ta­ti­on of the era­su­re concept.

Requi­re­ments for the era­su­re itself

Last but not least, the­re is the ques­ti­on of when data is “era­sed” in the terms of the GDPR. The con­cept of era­su­re is not defi­ned in the GDPR its­elf. From a legal per­spec­ti­ve, howe­ver, era­su­re means “per­ma­nent­ly ren­de­ring stored per­so­nal data unre­co­gnis­able by means of appro­pria­te pro­ces­ses”. It is important to note in this con­text that once such infor­ma­ti­on has been ren­de­red unre­co­gnis­able, it is no lon­ger pos­si­ble for anyo­ne to reco­ver the infor­ma­ti­on in ques­ti­on without dis­pro­por­tio­na­te effort, and that the pro­ce­du­re used for era­su­re is irreversible.

Con­clu­si­on

The pro­per and regu­lar era­su­re of data, like the law­ful collec­tion and sto­rage of data, is part of data pro­ces­sing in com­pli­an­ce with the law. It is pre­cise­ly the princi­ples for pro­ces­sing per­so­nal data set out in Arti­cle 5 GDPR, such as pur­po­se limi­ta­ti­on, data mini­mi­sa­ti­on and sto­rage limi­ta­ti­on, that make the era­su­re of data that are not (or no lon­ger) requi­red a core obli­ga­ti­on of the con­trol­ler. In order to avoid being tar­ge­ted by data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, com­pa­nies should the­re­fo­re deve­lop an era­su­re con­cept tailo­red to their indi­vi­du­al pro­ces­sing ope­ra­ti­ons and inte­gra­te it into their processes.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.