Since the General Data Protection Regulation (GDPR) came into effect, many companies have focused on data processing within their own organizations. As part of data protection management concepts, consent processes have been newly established or adapted, new privacy policies created, and the entire company aligned with the GDPR.
However, what companies sometimes overlook is the GDPR-compliant disposal of documents containing personal data.
According to Art. 4 No. 2 GDPR, the erasure and destruction of personal data constitute distinct processing operations.
Developing an Erasure Concept
The legal basis for data erasures typically stems from deletion obligations, which arise particularly from the data subject's right to erasure of personal data under Art. 17 GDPR, and from the principle of purpose limitation, Art. 5 para. 1 lit. b GDPR.
However, the GDPR does not specify how personal data on paper, CD-ROMs, DVDs, USB sticks, external hard drives, laptops, clouds, etc., should be erased or destroyed.
When developing a data protection-compliant concept for the disposal of internal company documents, various scenarios are conceivable. You must individually coordinate and implement with your data protection legal advisor which options exist for disposing of confidential documents, what security level is appropriate and necessary for the destruction of data carriers, and what criteria must be observed when selecting devices, procedures, and – in the case of external disposal – disposal companies.
If our firm provides the Data Protection Officer for your company, we will promptly discuss the aforementioned points with you in their overall context. Otherwise, please do not hesitate to contact us; we would be pleased to advise you.
Key Considerations
The following aspects must be clarified and observed in every company to ensure GDPR-compliant data disposal:
- Identification of documents containing personal data
- Identification of data carriers containing the aforementioned documents
- Determination of responsibilities and processes for document retention and internal transfer
- Development of a comprehensive disposal and erasure concept, ideally integrated into the company's software
- Definition of the protection requirements for individual documents and their classification into protection classes 1-3 according to DIN 66399
- Management and consideration of information regarding the storage duration of personal data, including precise scheduling of erasure or destruction times and informing data subjects accordingly
- Determination of the respective storage conditions
- Definition of security measures to be taken before and after the actual destruction
- Documentation of implemented measures in the company's data protection policies
- Selection of a suitable shredder: particularly a cross-cut shredder
- Regular control and logging of document destruction
- Comprehensive and regular awareness training for employees, for instance, through training sessions and informational letters
Should you have any questions regarding the aforementioned topic of data destruction and data erasure, please do not hesitate to contact us. We would be pleased to explain these matters to you personally.
GoldbergUllrich Attorneys at Law 2020
by
Michael Ullrich, LL.M. (Information Law)
Attorney at Law and Specialist Lawyer for Information Technology Law
