Suggestions and tools for a deletion concept

Peter Schaar

Deletion of personal data from companies under criticism

from T. Mielke

On April 24, 2013, the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, presented his 24th activity report for the years 2011 and 2012. In it, he criticizes, among other things, the lack of specifications and regulations for the deletion of personal data at companies and presents a guideline for a deletion concept.

In the activity report, the Federal Commissioner for Data Protection presents, among other things, a guideline on data erasure. This guideline makes it clear that many companies still find it difficult to delete digital data. Many companies also see no point in deleting data that is no longer required.

The data principles of necessity, data avoidance and data minimization require data that is no longer required to be deleted. Article 6 of the EU Data Protection Directive contains a deletion and anonymization requirement. Section 35(2) of the German Federal Data Protection Act (BDSG) provides for the erasure of personal data that is no longer required for the legally permissible purposes.

To ensure the legally compliant, orderly erasure of personal data, the authors of the guideline propose the development of a set of rules for erasure, a so-called erasure concept. Among other things, the guideline recommends the use of standardized deletion periods and so-called deletion classes. These erasure classes are intended to reduce the complexity of the various erasure requirements. The erasure classes are used for the assignment of personal data sets to erasure rules.

The creation of a complex extinguishing concept in companies would have the following advantages:

  • Processes for deletion are clearly defined - this relates in particular to the deletion period
  • IT costs are reduced by streamlining data inventories and eliminating potential redundancies
  • The controller fulfills its legal obligations and documents its data protection compliance
  • The protection of the person concerned is strengthened

The guideline provides data protection officers and IT security officers with a good basis for creating a deletion concept, but it does not relieve companies of the responsibility of developing their own concept that takes into account the data used in the company, the structure of the company and the individual risks in the company.



Image: Wikipedia / Tobias Klenze / CC-BY-SA 4.0 ( at

Share this post :