Realisation of the duty to erasure
For the lawful processing of personal data, a legal basis is necessary, and the processing can only last as long as it is necessary to fulfill the purpose for which the personal data was collected. Afterwards, the personal data needs to be erased. In this document you can read about the processes you should implement to fulfil this duty.
Permitted period for storing personal data
The legal basis for the processing of personal data is most of the time the GDPR or the german data protection law (BDSG). Also, company agreements or collective labour agreements can be the legal basis for processing personal data.
Before collecting personal data, it is therefore necessary to ensure that an applicable legal basis exists. A legal basis is for example applicable, if the data subject has given consent to the processing, or the processing is necessary for compliance with a legal obligation or for the performance of a contract. Up on to the fulfillment of the purpose, the processing of the personal data is lawful. Given the case of an order of goods, the purpose of the collection of address data is fulfilled, when the order is delivered.
When do you need to delete personal data?
After the purpose of the processing is fulfilled, personal data usually needs to be erased. Often there is a reason to store the data longer. One possible reason is that a new legal basis is applicable because a new or changed purpose for the processing exists. When the address data for the order process is collected and the recipient agrees to receive advertising of the company, the company can process the address data after the delivery of the order to send advertisements.
Even after every purpose is fulfilled, a check for possible legal storage obligation should be performed. Regularly, such obligations exist. In that case, the further storage is necessary. Typically, such obligations resolve from tax- and commercial-law statues.
In case of the order-process described above, the storage of personal data is possible until the limitation period has expired. Usually, this period is three years starting with the end of the year where the order was made. The reason for this is the possibility of legal disputes related to the order. If commercial or business letters were created because of the order, the letters must be stored for six years.
When no applicable legal basis exists and the period for legal storage obligations is over, the personal data must be erased.
Here you can find an overview of deletion periods for HR data.
Duty to provide a erasure concept
Art. 5 sec. 2 GDPR provides a factual obligation to provide a concept for the erasure of personal data.
Art. 5 sec. 1 let. e GDPR provides the principle of storage limitation. Together with the principle of purpose limitation in Art. 5 sec. 1 let. B GDPR the duty of erasure is concluded. Also Art. 17 GDPR provides the data subject with the right to obtain erasure of personal data. Due to the obligation of accountability in Art. 5 sec. 2 GDPR for the fulfilment of these obligations the controller needs to be able to demonstrate compliance with these provisions. Therefore, the controller needs to document the personal data, which is included in the it systems, the purposes of the processing, the storage and erasure period as well as a proof for the erasure. In other words: an erasure concept.
How to create this concept
The basis for creating the concept for erasure of personal data is the creation of an overview of the it-systems and all processing of personal data. Afterwards, the specifically affected personal data and the categories of this data are added to the respective it-system and process. For each category of personal data, the respective duration for the existence of the purpose for the processing needs to be determined. Also, the period of storage after the realisation of the purpose needs to be defined.
Here you can download our sample.
What happens if the personal data is erased too late or not at all?
A violation of the principles of storage and purpose limitation can lead to a fine of up to 20 million euros or up to 4% of the worldwide turnover of the company. In 2019 the responsible data protection officer of Berlin fined the company “Deutsche Wohnen” with a fine of 14 million euros – the highest fine till now in Germany – for the violation of the duty to erasure. Till now, the legal process about the fine is ongoing and the fine is not legally binding.