Introducing a successful deletion concept in companies
With the GDPR, the right to be forgotten has been added to the right to erasure.
This means that, in accordance with Article 17 GDPR, there is no legal difference between the right to erasure and the right to be forgotten. The right to be forgotten has its (recent) origins in the case law of the European Court of Justice (ECJ), which has deemed the right to be forgotten to be an essential component of the protection of the privacy of data subjects in an increasingly digitalized world (judgment of 13.5.2014 - C-131/12).
The right to erasure therefore also extends to information that is, for example, publicly accessible via search engines on the Internet.
Companies must delete data
In principle, companies must delete personal data if it is no longer required for the purposes for which it was collected or otherwise processed. The purpose of the data processing therefore determines the permissible duration of the storage of the processed data, provided that there are no statutory retention periods (Article 17(1) GDPR)
The controller's obligation also includes the obligation to erase data that has already been published (Article 17(2) GDPR). If necessary, a third data recipient must therefore receive information on erasure in order to prevent duplicates from continuing to exist and to ensure erasure in full.
Article 17(1)(f) GDPR has been extended to protect children and their activities on the internet. In the case of consent and provision of their data to online services in accordance with Article 8 GDPR, deletion of their data can be requested by both the data subject and their legal guardian.
Regulations of the GDPR
The GDPR does not contain a separate regulation for the erasure of special categories of personal data. However, the GDPR does regulate exceptions to the right to erasure and the right to be forgotten.
According to Article 17(3) GDPR, the rights of data subjects do not apply if the processing is necessary for exercising the right of freedom of expression and information (Article 17(3) lit. a GDPR), for compliance with a legal obligation or for the performance of a task (Article 17(3) lit. b GDPR), for reasons of public interest in the area of public health (Article 17(3) lit. c GDPR), for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes (Article 17(3) lit. d GDPR) or for data necessary for the establishment, exercise or defense of legal claims (Article 17(3) lit. e).
In order to ensure legally compliant destruction or erasure, we recommend that our clients develop a comprehensive erasure concept that is tailored to their individual business needs. Simple and clear rules for the deletion of personal data, which are defined and summarized in a well-structured deletion concept, facilitate the data protection-compliant management of the personal data processed by you.
To do this, we first help you determine where you have stored the data to be deleted and who has received the data and how. With an individual erasure concept, we also cover any information obligations to data recipients who must be informed of the erasure request.