Intro: What is meant by a deletion concept and what legal function does it fulfill?
To-Dos: What aspects must be taken into account when implementing deletion periods/deletion concepts?
Statements: What have the data protection supervisory authorities published on the subject of deletion concepts?
A deletion concept is used to determine when, how and by whom personal data is to be deleted in the company.
Deletion periods provide information on when the data must be regularly deleted. Statutory retention obligations must be taken into account. As a rule, these are not to be found in data protection laws, but in tax or commercial laws, for example. In certain cases, however, data must also be deleted regardless of a deletion period - for example, if the person withdraws consent to marketing activities and the data may no longer be lawfully processed for other purposes.
In principle, a deletion concept can be created in various forms (e.g. electronically or on paper). However, it is advisable to make the concept available for document export so that any requests from supervisory authorities can be dealt with quickly and easily.
The concept should be designed and written as clearly as possible (technical terms should always be explained) so that all persons entrusted with the deletion can use it as a working basis.
With regard to the method of deletion, it is crucial to ensure that the data is irreversibly deleted, i.e. that it can no longer be restored after the deletion process in such a way that it can be used to draw conclusions about the person.
Definition and documentation of retention / deletion procedures and periods. A data deletion directive should inform about the way personal data is being deleted once it is not needed any more for the respective legitimate processing purpose. Data deletion concepts might further detail retention requirements related to particular data processing activities.
Implementation of suitable deletion technology. Both data that is accessible via digital means and data that is in physical shape must be deleted in a secure and non-reversable way. The company must install respective deletion technology.
Being accountable In case of doubt, it must be possible to prove that a proper deletion has taken place in the company (so-called accountability).
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
