Creating the right deletion concept: requirements, implementation, risks

What is a deletion policy in accordance with the GDPR?

In accordance with the GDPR, a deletion policy is a set of internal company rules that systematically define how personal data is deleted once it is no longer necessary or permissible to process it. It facilitates the practical implementation of data protection deletion obligations in accordance with Art. 17 GDPR and the principle of storage limitation in accordance with Art. 5(1)(e) GDPR.

Purpose and legal basis

• Article 17 of the GDPR requires the erasure of personal data when the purpose of processing it is no longer applicable, or when there are other reasons for erasure, such as the withdrawal of consent.
• Art. 5(1)(e) GDPR (storage limitation) stipulates that personal data may only be stored for as long as is necessary for the purposes of processing. [ ]
• Art. 5(2) GDPR (accountability) requires controllers to demonstrate their compliance with the GDPR. This can be supported by a documented deletion concept.

How do you create a deletion concept?

A practical deletion concept in accordance with the GDPR consists of several structured components that build systematically on each other. DIN 66398 is an established guideline for developing such concepts, among other things.

1. Data inventory and categorisation

First, all personal data held by the company is recorded in full. This data is then divided into types (e.g. customer or employee data) and grouped into deletion classes with common rules and deadlines for deletion.

2. Setting deletion deadlines and start dates

Specific deletion deadlines are then defined for each deletion class, based on legal retention obligations (e.g. HGB, AO) or internal guidelines. The start date of each deadline (e.g. end of contract or last contact) is clearly defined.

3. Definition of deletion rules and implementation measures

Specific deletion rules are defined for each deletion class, including methods for securely deleting data (e.g. overwriting, shredding and anonymisation), and taking into account different types of data carrier (digital and physical). Responsibilities for implementing and monitoring the deletion concept are clearly assigned.

4. Integration into data protection management

The concept of deletion is integrated into the existing data protection management system, particularly the record of processing activities, in accordance with Art. 30 GDPR. This ensures consistent application and facilitates verification by supervisory authorities.

5. Documentation and verification

All deletion processes are documented, including the time, type of deletion and the person responsible. These logs serve the purpose of accountability in accordance with Art. 5(2) GDPR, and enable transparent tracking.

6. Regular review and updating

The deletion concept is regularly reviewed and updated as necessary to reflect changes in legal requirements or internal processes. This ensures that the concept remains up to date and effective at all times.

What is DIN 66398?

It is a German standard entitled 'Guideline for the development of a deletion concept with derivation of deletion periods for personal data'. Published in 2016, it offers organisations a structured approach to creating a deletion concept that complies with the requirements of the General Data Protection Regulation (GDPR).

The core components of DIN 66398 are:

1. Data types: Definition of groups of data objects processed for a uniform purpose.
2. Deletion classes: A summary of data types with identical deletion periods and start times.
3. Deletion rules: These define the deletion period and start time for each deletion class.
4. Implementation specifications: Specific instructions for the technical and organisational implementation of the deletion rules.
5. Responsibilities: Responsibilities for the creation, maintenance and implementation of the deletion concept are determined.
6. Documentation: Recommendation of a structure for documenting the deletion concept and deletion processes.

Example of an entry according to DIN 66398

• Data type: Application documents of rejected candidates (if there is no documented consent for inclusion in the applicant pool).
• Deletion class: LK-06M-EV (maximum deletion period: 6 months from the rejection of the applicant or the end of the selection process
• Deletion rule: Deletion takes place after a maximum of 6 months after the applicant is rejected.
• Implementation specification: Automated deletion of digital application documents in the HR system. Physical documents are destroyed by the HR department.
• Responsibility: Human Resources Department (HR).
• Documentation: Deletion processes are recorded in the HR system's deletion log and reviewed annually.

When must personal data be deleted?

The personal data of data subjects must be deleted if:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed (Art. 17(1)(a) GDPR);
• consent to data processing has been revoked and there is no other legal basis for processing (Art. 17(1)(b) GDPR);
• the data subject has objected to the processing (Art. 17(1)(c) GDPR);
• the processing was unlawful (Art. 17(1)(d) GDPR);
• the erasure of the personal data is required for compliance with a legal obligation in Union or Member State law (Art. 17(1)(e) GDPR); or
• the personal data was collected in relation to the offer of information society services referred to in Art. 8(1) GDPR (Art. 17(1)(f) GDPR).

Example

A customer gives a company permission to use their email address to send them newsletters. However, they have the right to withdraw this consent at any time, with effect for the future.

If they do so, the legal basis for processing and storing their personal data will no longer apply (Art. 17(1)(b) GDPR). The company would then be obliged to delete the email address. The same applies if no consent to receive newsletters was given in the first place (Art. 17(1)(d) GDPR).

Exceptions under Art. 17(3) GDPR

According to Art. 17(3) GDPR, there are exceptions to the right to erasure of personal data. These exceptions apply if processing is still necessary for specific reasons. The GDPR lists the following exceptions:

• Exercise of the right to freedom of expression and information;
• Compliance with a legal obligation or performance of a task in the public interest;
• Reasons of public interest in the area of public health;
• Archiving purposes, scientific or historical research purposes, or statistical purposes;
• Assertion, exercise or defence of legal claims.

Retention obligations

Statutory retention periods that fall outside the scope of the GDPR may also prevent deletion. Below is a brief overview of selected retention periods:

What constitutes 'deletion'?

The term 'deletion' is not legally defined in the GDPR. It is merely mentioned in Art. 4, No. 2 of the GDPR, where it is referred to as a form of data processing. It can be inferred that 'deletion' means the complete and irreversible removal of personal data, making it impossible to restore with reasonable effort. This includes both digital and physical data.

Technical implementation

• Digital data:  is carried out using secure methods, such as overwriting the data with random values or physically destroying the storage media.
• Physical data: Paper files must be disposed of using a document shredder; the protection class and security level are based on the DIN 66399 data carrier destruction standard.

Anonymisation is an alternative

Instead of deleting the data, it may be anonymised, which involves permanently removing the personal reference. However, this is only permissible if the anonymisation process is both complete and irreversible. This can be difficult to implement in practice.

Blocking can be used as an interim solution

In cases where immediate deletion is not possible (e.g. due to legal retention obligations), the data must be blocked. This means the data is blocked for further processing and only accessible for the intended purpose.

What penalties are imposed for non-compliance with the right to erasure?

A lack of an erasure policy, or failure or delayed erasure of personal data, constitutes a violation of the General Data Protection Regulation (GDPR). This can result in significant penalties. Art. 83(5)(a) of the GDPR provides for fines of up to €20 million or up to 4% of a company's global annual turnover, whichever is higher, for violations of the principles of personal data processing.

Practical examples of sanctions

• Hamburg, 2024: A debt collection company stored personal data for up to five years, despite the deletion period having expired. The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of €900,000.
• In Berlin in 2019: Deutsche Wohnen SE was fined €14.5 million because its archiving system was incapable of deleting unnecessary data. This data was stored without its admissibility being checked.

What needs to be taken into account in the deletion concept for contract processing?

According to Art. 4, No. 7 of the GDPR, the controller is obliged to ensure that personal data is deleted in a timely manner. This obligation also extends to data processed by processors. This means that controllers must ensure that their service providers also delete data in a timely manner.

According to Art. 28(3) sentence 2 lit. g GDPR, the processor must either delete or return all personal data once the processing services have been completed, unless there is a legal obligation to store it. This obligation should be clearly set out in the data processing agreement.

If the processor violates the erasure obligations, the controller can generally be held liable in accordance with Art. 82(1) GDPR. Therefore, it is in the controller's interest to ensure that the processor complies with these obligations.

We can support you with your erasure concept

A well-thought-out erasure concept is essential for GDPR-compliant data processing. As specialist data protection consultants, we can provide practical, legally compliant support for designing, implementing and monitoring your erasure concept.

Our services at a glance

• Analysis and categorisation of all relevant personal data
• Development of individual deletion rules in accordance with DIN 66398
• Derivation and documentation of statutory retention and deletion periods
• Creation of a company-specific deletion concept, including deletion classes
• Support with integration into the data protection management system (e.g. ROPA, TOMs)
• Review and optimisation of existing data deletion processes
• Development of technical and organisational deletion measures
• Advice on deletion in backup and archive systems
• Contract review and control of processors (Art. 28 GDPR)
• Training and raising awareness among employees
• Regular reviews and updates of the deletion concept
• Support during official audits and requests for information

We support you from risk analysis to successful implementation in a manner that is legally compliant, transparent and practical.