The data protection dilemma

Limited storage periods vs. fulfilment of accountability pursuant to the GDPR

The GDPR imposes accountability on the controller such that he or she must be able to provide evidence of compliance with the principles governing the processing of personal data at any time. However, exactly what that means with regard to the amount of necessary documentation and how long that ability to provide evidence of compliance should persist are things that the GDPR omits to mention. On the one hand, it does refer to an essential documentation instrument in the form of the record of processing activities, the required contents of which are clearly defined in Art. 30. But how, for example, are enquiries from data subjects requesting information or erasure to be documented? Observance of the rights of data subjects also comes under the accountability of the controller. 

Dealing with requests for information

When it comes to requests for information, the question of which data are necessary in order to provide evidence of compliance with the legal requirements arises. Is it sufficient merely to be able to prove that a request for information has been fulfilled? Does the actual reply have to be archived alongside the copy of the data made available to the data subject? Does the request made by the data subject have to be stored in its actual wording? What is the situation with regard to 'analogue' enquiries received by letter? Is analogue information allowed to be digitalised for the purposes of archiving (which in turn would constitute processing in its own right within the meaning of the GDPR)? 

Carrying out requests for erasure

With regard to requests for erasure, the accountability could involve the paradox that under certain circumstances more data had to be stored in the documentation of a legitimate request for erasure than were actually present prior to the request. That could for example be the case if we follow the concept that it must also be possible to show which data were actually erased (or earmarked for erasure) to its logical conclusion. Taking into account the basic principles of data minimisation and limited storage, controllers may be faced here with a dilemma of the kind that cannot easily be resolved.

Deadlines

Neither does the GDPR make any specifications with regard to a deadline by which accountability should be rendered, which means that the possibility of providing evidence of compliance with the specifications 'always' applies as a matter of basic principle. Having said that, it may also be necessary to apply the principle of commensurability as in Art. 51 1. Sentence 2 of the Charter of Fundamental Rights of the European Union to the clash between the supervisory data protection authorities' need to supervise and the interest of the controller in keeping requirements to a level he can reasonably be expected to meet. Under those circumstances, the controller might not have to fulfil obligations to provide evidence if they could be considered disproportionate. From a practical point of view, however, it may be possible to recognise a realistic deadline derived from national regulations.

Practical tip

The periods of limitation for possible fines or claims for compensation by data subjects are geared to the national regulations. In Germany, these are as a rule three, ten or even thirty years, for which reason controllers at least no longer have any consequences to fear after the expiry of these periods, since they can plead limitation. However, there has not yet been a court judgement on the admissibility of orientation to these periods. Having said that, they may serve a company as a valid argument for compliance with – and temporal limitation of – accountability.

[March 2019]