‚Right to erasure‘ – an overview

In prin­ci­ple, the Con­trol­ler must delete per­so­nal data, i.e. ir­re­spec­ti­ve of a request from the data subject, when the per­so­nal data are no longer ne­ces­sa­ry for the pur­po­ses for which they were coll­ec­ted or other­wi­se processed.
Where a data subject has given consent to the pro­ces­sing and exer­ci­s­es his or her right to erasure, this is equi­va­lent to a wi­th­dra­wal of consent. The per­so­nal data must be deleted.
If a data subject exer­ci­s­es his or her right to have his or her data deleted, this applies to all per­so­nal data which the Con­trol­ler pro­ces­ses about him or her. Unless the data subject limits the request for de­le­ti­on to certain data only.

The Con­trol­ler must inform all re­ci­pi­ents (e.g. pro­ces­sors) to whom he has trans­mit­ted per­so­nal data re­la­ting to the data subject of the request for erasure.
Before de­le­ting per­so­nal data, however, it is ne­ces­sa­ry to check whether there are any legal re­qui­re­ments, for example, which oblige the Con­trol­ler to (further) pro­ces­sing (here: storage in the sense of re­ten­ti­on ob­li­ga­ti­ons) beyond the de­le­ti­on request.

If the legal basis for the pro­ces­sing is a con­tract, the con­tract could no longer be ful­fil­led in the event of erasure, which is tan­ta­mount to a ter­mi­na­ti­on of con­tract. This means that a per­so­nal data is used for several pro­ces­sing ope­ra­ti­ons and con­se­quent­ly a per­so­nal data has dif­fe­rent de­le­ti­on or re­ten­ti­on periods.

This is re­gu­lar­ly the case within the frame­work of the tax code, tax laws, etc. For example, (em­ploy­ment, purcha­se) con­tracts are ge­ne­ral­ly to be kept for 10 years in Germany, 7 years in Austria and 10 years in Switzerland.
Correct de­le­ti­on re­qui­res that the data subject makes use of his or her right of erasure, re­gard­less of whether he or she exer­ci­s­es this right or not (since de­le­ti­on is a legal obligation):

• It has to be do­cu­men­ted where (e.g. in which systems),
• which per­so­nal data
• for what purpose
• on what legal basis (lawful­ness of processing)

can be saved.

• Who has access to this data
• Who may delete this data.
• Logging of the deletion/destruction.

The data subject must be in­for­med about the de­le­ti­on periods (storage period) in the context of the in­for­ma­ti­on ob­li­ga­ti­ons (e.g. website policy).
The Con­trol­ler has to create a de­le­ti­on concept. This serves to de­scri­be all tech­ni­cal and or­ga­ni­sa­tio­nal me­a­su­res that are ne­ces­sa­ry to fulfil the data pro­tec­tion ob­li­ga­ti­ons in con­nec­tion with the de­le­ti­on of per­so­nal data at the Controller.

The de­le­ti­on concept re­gu­la­tes the de­le­ti­on of elec­tro­nic data as well as paper do­cu­ments, of au­to­ma­ted as well as non-au­­to­­ma­­ted pro­ces­sing and how this de­le­ti­on is to be carried out. This also re­gu­la­tes the pro­ce­du­re (process de­scrip­ti­on) for re­quests for de­le­ti­on by the data subject.

A request for erasure must be com­pli­ed with im­me­dia­te­ly, but at the latest within one month.

The erasure – the letter from the data subject, the de­le­ti­on pro­to­col and, if ap­pli­ca­ble, the reply letter – must be kept for 3 years as part of the ac­coun­ta­bi­li­ty process.

Pro­ce­du­re (rough process flow):

• In­ven­to­ry (survey of the data ca­te­go­ry, pro­ces­sing lo­ca­ti­on, storage location);
• De­ter­mi­ne de­le­ti­on periods
  (storage ob­li­ga­ti­on, storage right, de­le­ti­on period);
• create a de­le­ti­on concept
  Pro­fes­sio­nal „What“, tech­ni­cal „How“, re­spon­si­bi­li­ty „Who“;
• Im­ple­men­ting the extin­gu­is­hing concept
  Tech­ni­cal and or­ga­ni­sa­tio­nal measures;
• Per­forming and do­cu­men­ting deletion
  au­to­ma­tic deletion
  manual erasure.

Data pro­tec­tion is not a product. Data pro­tec­tion is a process.
If you have any ques­ti­ons, contact us: consulting@AdOrgaSolutions.de.
Solutions for pro­fes­sio­nal and expert data pro­tec­tion since 2007.