How should one handle the obligation to delete data under data protection law?

Violations of data erasure obligations are costly and damage your reputation. How can you ensure compliance?

Headlines about violations of data protection deletion obligations are currently making the rounds. For example, the real estate company Deutsche Wohnen is fighting a fine of EUR 14.5 million for storing tenant data for too long, and the Bremen Police are facing allegations that they deleted personal data from the “Artus” police system too late and only upon request. Violations of data protection deletion obligations are therefore costly and damage one’s reputation.

How, then, can compliance with these sensitive obligations be ensured?

When does a company have a duty to delete data?

The principle of storage limitation introduced by the GDPR states that personal data may only be stored for as long as is necessary for the purposes for which it was processed. The permitted storage period must be limited to the absolute minimum necessary. In addition to the lack of necessity, the revocation of consent, the cessation of another justification (e.g., the legal basis), or an objection to processing also obligate the controller to delete the data. The obligation to delete data can thus be justified by various grounds for deletion.

Must companies actively review their data holdings for grounds for erasure?

The logic is therefore clear: as soon as a ground for erasure exists, the data in question must be erased. But how, and above all, who determines the existence of such a ground for erasure? Must the controller act on its own initiative and check for the existence of a ground for erasure, or is it only obligated to do so upon request by the data subject based on Article 17 of the GDPR (“right to be forgotten”)?

The answer is: Both! The controller must independently verify whether a ground for erasure exists during its processing activities. Furthermore, it must also take appropriate action in response to requests for erasure.

The Deletion Policy

To ensure that companies fulfill their duty to verify and provide an appropriate response to requests for erasure, they must implement an internal erasure policy. In particular, the controller should specify the time limits for erasing various categories of processed personal data and provide for regular reviews regarding the grounds for erasure. Finally, the controller must also document the deletion deadlines identified for individual categories of data and data subjects in its record of processing activities.

However, when dealing with erasure obligations, the controller must not rely solely on its erasure policy and its record of processing activities. These two tools merely outline the abstract approach to erasure. The erasure objectives set forth therein must then be implemented in practice. To this end, the appropriate technical implementation method must be selected.

Technical Implementation of the Deletion Policy

Implementing a deletion policy requires appropriate technical data management. First, the company must identify which systems process which data in order to assess internal data flows. However, analyzing its own data flows is not sufficient to actually retrieve the data to be deleted from the respective systems. To do this, the systems must first be connected to a central data management service for data deletion. Such a data management service can then also be used to implement other data subject rights (in particular to respond to requests for access or deletion).

From today’s perspective, there are two practical options for designing such a central service:

1. Either the service retrieves the data in real time from the individual systems, or

2. all data (at least of one category) is consolidated by the service into a unified data repository and kept up to date there.

The second alternative has the advantage that the consolidated data can also be used for further analysis purposes (such as automated notifications regarding the expiration of individual retention periods). However, connecting the internal data deletion service to the individual systems can pose a significant challenge. This is particularly true for exotic systems and in-house developments by companies.

To comply with data protection deletion obligations, therefore, both an abstract plan (i.e., deletion policy and record of processing activities) and practical implementation via a suitable data management service are required.

Accountability

In addition to the active data protection obligation to delete data, Article 5(2) of the GDPR also establishes a general accountability obligation for the controller. The controller must be able to demonstrate to the supervisory authorities that it has complied with its data protection obligations regarding deletion. Therefore, every measure taken to minimize data should be documented in an audit-proof manner to make it objectifiable and verifiable. 

Many obligations – one solution

Given the multitude of data protection obligations, it can often be difficult to maintain an overview and avoid diverting too many resources from core business operations to invest in data protection tasks.

That’s why we developed our Akarion GRC Cloud. The data privacy module of the GRC Cloud provides you with the overview you need of your data movements, generates reports and documentation for internal and external audits in a matter of seconds, and supports you in creating deletion strategies and records of processing activities, as well as in handling requests for access and deletion.

Want to learn more? Schedule a no-obligation initial consultation with our team today!