In principle, the Controller must delete personal data, i.e. irrespective of a request from the data subject, when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
Where a data subject has given consent to the processing and exercises his or her right to erasure, this is equivalent to a withdrawal of consent. The personal data must be deleted.
If a data subject exercises his or her right to have his or her data deleted, this applies to all personal data which the Controller processes about him or her. Unless the data subject limits the request for deletion to certain data only.
The Controller must inform all recipients (e.g. processors) to whom he has transmitted personal data relating to the data subject of the request for erasure.
Before deleting personal data, however, it is necessary to check whether there are any legal requirements, for example, which oblige the Controller to (further) processing (here: storage in the sense of retention obligations) beyond the deletion request.
If the legal basis for the processing is a contract, the contract could no longer be fulfilled in the event of erasure, which is tantamount to a termination of contract. This means that a personal data is used for several processing operations and consequently a personal data has different deletion or retention periods.
This is regularly the case within the framework of the tax code, tax laws, etc. For example, (employment, purchase) contracts are generally to be kept for 10 years in Germany, 7 years in Austria and 10 years in Switzerland.
Correct deletion requires that the data subject makes use of his or her right of erasure, regardless of whether he or she exercises this right or not (since deletion is a legal obligation):
- It has to be documented where (e.g. in which systems),
- which personal data
- for what purpose
- on what legal basis (lawfulness of processing)
can be saved.
- Who has access to this data
- Who may delete this data.
- Logging of the deletion/destruction.
The data subject must be informed about the deletion periods (storage period) in the context of the information obligations (e.g. website policy).
The Controller has to create a deletion concept. This serves to describe all technical and organisational measures that are necessary to fulfil the data protection obligations in connection with the deletion of personal data at the Controller.
The deletion concept regulates the deletion of electronic data as well as paper documents, of automated as well as non-automated processing and how this deletion is to be carried out. This also regulates the procedure (process description) for requests for deletion by the data subject.
A request for erasure must be complied with immediately, but at the latest within one month.
The erasure – the letter from the data subject, the deletion protocol and, if applicable, the reply letter – must be kept for 3 years as part of the accountability process.
Procedure (rough process flow):
- Inventory (survey of the data category, processing location, storage location);
- Determine deletion periods
(storage obligation, storage right, deletion period);
- create a deletion concept
Professional „What“, technical „How“, responsibility „Who“;
- Implementing the extinguishing concept
Technical and organisational measures;
- Performing and documenting deletion
Data protection is not a product. Data protection is a process.
If you have any questions, contact us: consulting@AdOrgaSolutions.de.
Solutions for professional and expert data protection since 2007.