GDPR: Do all personal data have to be deleted?

GDPR: Do all personal data have to be deleted?

Personal data is information about a specific or identifiable person. Telephone numbers, credit card and employee numbers, but also e-mails or a license plate number are examples of personal data.

Article 17 of the General Data Protection Regulation (GDPR) regulates it clearly: Every person responsible is obliged to delete personal data when they are no longer required. “An indefinite storage of personal data is not permitted. In the case of the obligation to delete, however, exceptions apply in certain cases,” explains the experienced data protection specialist Dr. Jörn Voßbein and think of the regulations in Art. 17 Para. 3 GDPR. What exceptions are possible? A closer look is worthwhile in any case and ensures data protection-compliant behavior.

The principle is: Personal data may only be stored and processed for as long as they are required for the purpose defined in each case. If the purpose no longer exists, they must be deleted, provided that this deletion does not conflict with any statutory retention periods. If a law defines a retention period, it may only be deleted after it has expired. This means that most e-mail correspondence can and must be deleted in a timely manner, unless internal requirements or legal retention requirements (e.g. if e-mails are considered business letters) require longer storage.

Are there exceptions? According to Art. 17 Para. 3 GDPR, there is an exception to the obligation to delete personal data if the data is required to assert, exercise or defend legal claims. This includes both judicial and extrajudicial proceedings. In addition, deletion is exceptionally not necessary,

    • if the data is not stored in IT (e.g. paper files), deletion would only be possible with disproportionate effort and the interest in deletion is to be regarded as low,
    • if the person responsible has reason to believe that erasure would adversely affect interests of the data subject that are worthy of protection, or
    • if statutory or contractual retention periods prevent deletion.

What to do in this case? The data may then have to be marked as “restricted for processing”. If this restriction of processing has been made, this means that the personal data may only be processed to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest or alternatively with the consent of the concerned.

Recommendation: “Retention periods must be specified for all categories of personal data, even if this is not always trivial,” recommends UIMC Managing Director Dr. Jorn Vossbein. Because one thing is certain: storage for an unlimited period of time is not permitted under any circumstances. UIMC therefore advises all those responsible for handling personal data to define deletion periods and form data clusters. Once the retention periods have expired, the personal data must be deleted. Dr. also has a tip. Voßbein still ready: “The necessary information can be found in the list of processing activities… if it is maintained.”

How do I organize my projects in 2022 and which tools will help me? Previous post How do I organize my projects in 2022 and which tools will help me?
ERP selection – seize every opportunity Next post ERP selection – seize every opportunity