Many companies have dealt with data processing in their own company since the General Data Protection Regulation (GDPR) came into force. Within the framework of data protection management concepts, among other things, consent processes have been newly created or adapted, new data protection declarations have been created and the entire company has been aligned with the GDPR.
What is sometimes However, what is sometimes forgotten by companies is the data protection-compliant disposal of documents containing personal data.
According to Art. 4 no. 2 GDPR, the deletion and destruction of personal data are separate processing operations.
Create a deletion concept
The As a rule, the data protection background to data deletion is formed by the following Deletion obligations, which arise in particular from the data subject's right to delete right to delete personal data pursuant to Art. 17 DSGVO, as well as the the purpose limitation principle, Art. 5 para. 1 lit. b DS-GVO, arise.
The GDPR does not regulate how personal data to be erased/destroyed is stored on paper on paper, CD-ROMs, DVDs, USB sticks, external hard disks, laptops, clouds, etc. etc. are to be deleted or destroyed.
In the context of the development of a data protection-compliant concept for the disposal of internal internal documents, a variety of scenarios are conceivable. Which possibilities confidential documents exist, which security level is required for the appropriate and necessary for the destruction of data appropriate and necessary for the destruction of data media, which criteria should be applied in the selection of equipment, and - in the case of external disposal - disposal companies, must be individually and - in the case of external disposal - disposal companies. and implement them.
If our firm provides the data protection officer for your company, we will promptly discuss the above points with you in the overall context. Otherwise, please contact us. We will be happy to advise you.
What always needs to be considered
The following aspects must be clarified and observed in every company with a view to ensuring The following aspects must be clarified and observed in every company with a view to ensuring data protection-compliant data disposal:
- Identification of documents containing personal data
- Identification of the data carriers containing the above-mentioned documents
- Determination of responsibilities and processes for document retention and internal dissemination
- Development of a comprehensive disposal or deletion concept, ideally in combination with integration into the company software.
- Determination of the protection requirements of the individual documents and their allocation to the protection classes 1-3 in the sense of DIN 66399
- Management and consideration of the information on the storage period of personal data, including precise scheduling of the deletion or destruction dates as well as information of the data subjects about this
- Determination of the respective storage conditions
- Determination of the security measures to be taken before and after the actual destruction
- Presentation of the implemented measures in the company's own data protection guidelines
- Selection of a suitable document shredder: especially Cross Cutter
- Regular control and logging of the destruction of documents
- Comprehensive and regular sensitisation of employees, e.g. in the form of training courses and information letters.
If you have any questions about the above topic of data destruction and deletion, please do not hesitate to contact us. We will be happy to explain the above topic to you personally.
GoldbergUllrich Rechtsanwälte 2020
Michael Ullrich, LL.M. (Information Law)
Lawyer and specialist in Information Technology Law