Personal data in the filing cabinet are stored with a deletion concept in accordance with DSGVO

Data protection according to GDPR

The way to an erasure concept according to the GDPR

According to the General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG-neu), data controllers must comply with requirements for the deletion of personal data. In order to keep an overview of which personal data is processed in an organisation, every organisation should create a so-called "erasure concept".

When designing the erasure concept, there are no legal requirements as to what an erasure concept should look like. It is recommended that companies and organisations follow DIN 66398, the "Guideline for the development of an erasure concept with derivation of erasure periods for personal data".

In the following article we explain which components an erasure concept must have and how you can implement it.

Most important information about the erasure concept

  • With the GDPR, there is a "right to be forgotten", which means that individuals have the right not to have their personal data stored without a purpose and to have it deleted under certain conditions.
  • Specifications from the GDPR and the BDSG-neu, must be regulated in the extinguishing concept
  • Neither the BDSG-neu nor the GDPR regulate in detail how an erasure concept must be structured, therefore DIN 66398 has been established for the implementation of the erasure concept
  • Further legal requirements may stand in the way of erasure and must also be observed
  • Measures in connection with the erasure concept must be documented and, in the event of a review by the supervisory authority, a company's erasure concept will be reviewed

Whitepaper the way to a deletion concept according to DSGVO

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

In the whitepaper you can find the way to a deletion concept according to the GDPR:

  • Information on the Definition of the extinguishing concept and Definitions relevant terms
  • Legal requirements and standards Know how to implement the extinguishing concept
  •  7 steps for the preparation of the extinguishing concept
  • Sample of a completed deletion class

What is an erasure concept?

A erasure concept defines in a systematic and standardised way how personal data. in a company are deleted when their retention period has expired. The BDSG-new and the GDPR request the erasure of personal data if:

  • These are no longer required
  • Their intended use is fulfilled
  • The data subject requests deletion

In these cases, the erasure concept regulates who deletes this data at what time.

Why is it useful to work with an erasure concept?

On the one hand, the implementation of an erasure concept is not optional but required by law, as every company has the right to be forgotten (Art. 17 GDPR) must be complied with. In addition to the legal obligation, it also makes sense to work with an erasure concept. The complex interplay of processing activities, types and categories of data used, retention obligations and erasure periods can hardly be depicted or complied with without an erasure concept.

The processing of personal data also takes place in every company / authority. An erasure concept supports data controllers in maintaining an overview of obligations under the GDPR.

Legal requirements and standards for the erasure concept

Storage limitation of personal data

Article 5 of the GDPR sets out principles for the processing of personal data. Article 5 (1) (e) contains special regulations on the subject of storage limitations. These state that personal data may only be stored as long as it fulfils the purpose for which it was collected. After that, the personal data is no longer required and must be deleted.

"Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. Personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject."

Right to be forgotten

Article 17 of the GDPR defines the grounds on which data controllers must erase personal data (Article 17(1) of the GDPR), the measures data controllers must take (Article 17(2) of the GDPR) and the exceptions in which personal data need not be erased (Article 17(3) of the GDPR).

Reasons for the occurrence of the erasure period (Art. 17 (1) GDPR)

  1. The data subject shall have the right to obtain from the controller the erasure without delay of personal data concerning him or her and the controller shall be obliged to erase personal data without delay where one of the following grounds applies:
    1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
    2. The data subject revokes his or her consent on which the processing is based in accordance with Article 6 paragraph 1 letter a or Article 9 (2)(a) and there is no other legal basis for the processing.
    3. The data subject shall, in accordance with Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to paragraph 1. Article 21 (2) object to the processing.
    4. The personal data have been processed unlawfully.
    5. The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
    6. The personal data have been collected in relation to information society services offered pursuant to Article 8 Paragraph 1.

Measures taken by the controller 17 (2) GDPR)

  1. Where the controller has made the personal data public and is obliged to erase it pursuant to paragraph 1, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to, or copies or replications of, that personal data.

Exceptions to the deletion period (Art. 17 (3) GDPR)

  1. Paragraphs 1 and 2 shall not apply insofar as the processing is necessary to
    1. to exercise the right to freedom of expression and information;
    2. for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with Article 9 paragraph 2(h) and (i); and Article 9 Paragraph 3;
    4. for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 paragraph 1, to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
    5. for the assertion, exercise or defence of legal claims.

Further legal requirements

  • The right to restrict processing pursuant to Art. 18 GDPR: The data subject has the right to obtain from the controller the restriction of processing if certain conditions are met.
  • The list of processing activities pursuant to Art. 30 para. 1 f) DSGVO: This list contains information on the time limits foreseen for the erasure of the different categories of data.
  • The right to erasure pursuant to § 35 BDSG-New: Conditions for certain deletion operations.

DIN 66398/Guideline Erasure Concept

DIN 66398 is geared towards an erasure concept for personal data, it:

  • describes the elements of an erasure concept;
  • recommends a documentation structure;
  • provides uniform terms;
  • proposes a procedure for the definition of erasure rules, and
  • describes which contents should be defined in implementation specifications.

According to DIN 66398, the erasure rules and implementation specifications result from:

  • specific personal data files,
  • specific purposes of the data processing,
  • legal bases from which the legitimacy and necessity of the processing activities derive, and
  • processes in which data controllers process data.

Support in the implementation of the erasure concept

Implementing the various legal and normative requirements into an erasure concept can seem complicated. Regular reviews and updates of your erasure concept help to optimise your data protection management system. Our data protection officers (DPOs) will be happy to support you in implementing your erasure concept. Find out about the benefits, process and costs with Robin Data.

What must the erasure concept contain?

A data protection-compliant erasure concept consists of the following components:

  • Erasure classes with data types, erasure periods and the protection requirement of the data to be erased
  • Start time from which the erasure period is calculated
  • If applicable, justification of an erasure period for a type of data that deviates from the statutory retention period.
  • Erasure rule per erasure class, which defines how corresponding data is to be erased on the basis of the protection requirement, e.g. on the basis of DIN 66399.

What are erasure classes?

Erasure classes can be thought of as a matrix consisting of data types, the retention period and the start time from which this retention period runs. For the sake of simplicity, all data types with the same start time and the same erasure period can be grouped into erasure classes.

  • Data types: All data processed for a common purpose are defined as one data type. The basis of a standardised erasure concept are data types into which all data stored in the company is divided. In Robin Data you can choose from over 1000 data types. By selecting the appropriate data type, the legal retention period is generated automatically.
  • Retention period: In addition to the GDPR, there are other laws that stipulate storage and erasure periods. These must be observed when creating the erasure concept and this is also where the challenge lies: Erasure periods are regulated in tax law, commercial law or the Securities Trading Act, among others. So how do you maintain an overview of the applicable legal situation? This is where the data protection officers and lawyers have done the groundwork. Based on the type of data, the appropriate retention period is automatically stored in accordance with the current legal situation.
  • Start timeThe start time also automatically determines the respective erasure period. The start time starts either at the time of data collection or at the end of a transaction or relationship. In a dropdown, you can select the start time for the erasure class that applies to the data type.

What are erasure periods?

Erasure period is the period after which data types or personal data must be erased. An erasure period results from the start time and the retention period. Erasure periods can result from legal requirements for certain data types. By selecting the data type in Robin Data, not only the retention period is defined automatically, but also the erasure period.

What are erasure rules?

An erasure rule is assigned to each erasure class within your erasure concept. This erasure rule determines whether the erasure class created must be erased on a specific date or as standard.

In 7 steps to the erasure concept according to GDPR

The first step in creating an erasure concept is to record all processing activities of personal data in the company or the authority and the contact persons who are responsible for these processing activities. It is also necessary to record all systems that process personal data and to check whether there are dependencies between these systems (e.g. accounting software, CRM system). You must also pay attention to whether personal data collected by your company is further processed by third-party providers and processors.

  • The basis of the erasure concept are the types of data recorded in the register of processing activities. Data types are usually categories of documents, such as business letters, quotation documents, emails, etc., that are used in an organisation.
  • Legal retention periods are defined for data types. Data types plus retention periods form the basis for the creation of so-called deletion classes.
  • Example: The data type "order data of a roofing company" has a legal retention period of 10 years, which results from the Commercial Code.
  • Erasure classes summarise one or more types of data and describe which types of data are to be erased and when.
  • The shared feature is that a common erasure period is assigned to the data types contained in a erasure class. Once the erasure period is reached, the personal data must be erased or the complete documents must be destroyed. For the above example, this means that the roofing documents should be erasure after 10 years.
  • In many cases, it may make sense to store and process types of data beyond the legal retention period. Accordingly, there is a legitimate interest for further processing, which must be explicitly justified in the erasure concept. In the case of the roofer, a legitimate interest can be justified by the fact that roofs usually show damage only after 20 or more years and that it therefore makes sense not to erase the order documents on the roof after 10 years, but to keep them for at least 20 or more years. This procedure is certainly also in the interest of the customer.
  • In addition, for each erasure class it is defined from when the observation period for the calculation of a erasure class runs. This can be "From the end of a contractual relationship", "From the end of a transaction" or "From the time of data collection".
  • Example: For the roofing company, the erasure period would start "From the end of the operation", i.e. the acceptance of the roof.
  • It is now necessary to consider how sensitive or in need of protection the types of data in the erasure class are. A personnel file has a higher protection requirement than a "normal" business e-mail. This must be taken into account when erasing data, for example, if a professional disposal company is commissioned to erase or destroy data. A good reference work for the destruction of documents is DIN 66398.
  • In order to implement the erasures, each erasure class must have a so-called erasure rule be defined.
  • The deletion rule describes when and how to delete the data to be deleted.
  • Example: In the case of the roofer, the erasure rule could, for example, read as follows: "On 1.2. of each year, erase all order documents on roof projects that have been archived for at least 20 years since the roof was accepted. Erase these documents via the disposal company Meier and have the erasure confirmed".
  • Implementation rules are a recurring point in time at which the data types or data must be erased.
  • These also contain information on the technology or service to be used for the erasure.
  • Specify who is responsible for erasing the data types.
  • At best, there is not just one person responsible, but an approval procedure:
    • An erasure class is usually created by one person, for example the employee of a specialist department.
    • In addition to this person, another person should check whether the erasure class has been correctly worked out and whether a legitimate interest is well-founded. This can be done by the data protection officer, for example.
    • At the end of the chain, someone has to officially release the erasure class. This can be done, for example, by the supervisor.
  • Each erasure process should be recorded as an activity.
  • These activities are documented in the activity report and serve as evidence.

Examples and samples for an erasure class

DesignationSettlement documents
Data typeSettlement documents
Protection needsProtection class 2
Legal retention period 10 years
Start timeFrom the end of the relationship
Repeat allYears
Period10
erasure ruleAnnual data media and file destruction
Implementation throughInternal data media and file destruction

How can measures of the erasure concept be documented?

Since aspects of the documentation of the erasure concept such as data types or legal retention periods must be included, this part of the data protection documentation can appear to be particularly complex. Even if the processed data is carefully categorised into data types, the classification of protection classes and the determination of correct legal retention periods poses challenges for data protection officers. For this reason, there is a digital and standardised solution for your erasure concept. Benefit from the preparatory work of data protection experts and lawyers who have carefully incorporated this data into the database of our data protection software Robin Data.

Assisted implementation of your erasure concept and under application of the current legal basis of the GDPR. Learn more about the features of our data protection software by visiting a free software demo.

How often does the deletion concept need to be updated and reviewed?

In order to comply with the documentation and accountability obligations, it is necessary to regularly review the erasure concept and keep it up to date. Accordingly, erasure deadlines for personal data must always be observed and maintained.

What are the sanctions for a missing erasure concept?

The erasure concept and its implementation must be documented and be presentable to the data protection supervisory authority upon request. If a missing or incomplete management of the erasure concept is determined or if the legal requirements according to the GDPR are not taken into account, data protection fines of up to 20 million euros or up to 2 or 4 percent of the total annual turnover achieved worldwide may be imposed in the event of an inspection. The fines and penalties are stipulated in Art. 83 GDPR. In addition, it may happen that a breach of accountability according to Art. 5 para. 2 is assumed. Significantly higher fines are to be expected.

Documentation of the erasure concept with the Robin Data software

Erasure concept in accordance with GDPR, BDSG and DIN 66398 based on templates and samples

The special thing about Robin Data is that the data protection software already has thousands examples and templates from the area of data protection. These have been incorporated into the database of our software by the data protection officers and lawyers of Robin Data. You can access these high quality templates. Based on these templates, you can also create your erasure concept, almost as an aside.

The erasure concept is a central component of data protection, because personal data must be erased regularly. Erasure periods can be derived from legal retention periods. Robin Data knows the relevant information from your erasure concept according to DIN 66398:2016-05 without you having to find them yourself. At the push of a button, you can generate your erasure concept step-by-step from your directory of processing activities.

Manage with Robin Data not only the erasure concept, but also very simply e.g. your directory of processing activities or your technical-organisational measures. This way you can implement your data protection documentation with assistance and in a short time.

The erasure concept is a central component of the data protection documentation. Our data protection software Robin Data offers the standardized template for implementation.

If you are interested in the implementation and documentation of the erasure concept with the Robin Data software, you can download the individual Articles in our Help Center or visit free online demos visit.

How to set up an erasure concept parallel to the processing activities directory

In our data protection software Robin Data, you can set up your data protection-compliant erasure concept parallel to the directory of processing activities. This is achieved by importing the corresponding data types directly from the Robin Data database when importing a processing activity. If you now switch to the functional area "Erasureconcept", you can store the data type in the corresponding erasure class. Important contents are filled out automatically on the basis of the data type according to DIN 66398:2016-05 such as the legal retention period and the erasure period . In this way you can implement your data protection documentation with assistance and in a short time.

Visit our free demos

We regularly offer online demos in which we introduce you to our Robin Data data protection software. Get insight into the structure and functional scope of the digital activity report of the Robin Data software. Our experts will give you and other interested parties comprehensive insight and answer your questions.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

List of processing activities according to Art. 30 DSGVO. Explained step by step with extensive information. Data protection made easy.
All information on the technical organisational measures according to the GDPR. What do responsible parties have to observe during implementation and documentation?
All information on the data processing agreement according to GDPR. What do controllers have to consider when creating and managing?