17. Oktober 2018 - Data protection concept according to GDPR

A step-by-step guide to coming up with an erasure concept


The General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu) make stipulations on the erasure of personal data. It is therefore advisable to develop and implement an erasure concept. The DIN 66398 standard provides support here.

Erasure concept The GDPR expressly sets out erasure obligations for personal data (Image: Andranik Hakobyan / iStock / Getty Images)

Storage limitation

The principles relating to processing of personal data (Article 5 GDPR) also include a storage limitation. The principle is this:

„Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.“

This means that if personal data that companies collect for an particular purpose have satisfied their purpose, they are no longer required and have to be erased in accordance with further legal stipulations. The „right to be forgotten“ section contains more precise information.

The right to be forgotten

Article 17 GDPR (right to erasure, right to be forgotten) specifies several reasons for an erasure obligation to apply, including:

  • The personal data are no longer needed for the purposes for which they were collected or otherwise processed (see above).
  • The data subject revokes the consent on which the processing was based, and there is no other legal basis for processing.
  • The data subject objects to the processing, and there are no legitimate grounds for processing that take precedence.
  • The personal data were processed unlawfully.
  • The erasure of the personal data is necessary in order to satisfy a legal obligation under European Union law or the law of the Member States to which the data controller is subject.

However, the erasure obligation does not apply if the personal data are (still) required

  • in order to exercise the right to freedom of expression and information
  • in order to satisfy a legal obligation that requires processing in accordance with the law of the European Union or of the Member States to which the data controller is subject, or in order to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
  • on grounds of public interest in the area of public heath
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or
  • in order to assert, exercise or defend legal claims.

Taking account of erasure obligations and retention obligations

Various legal and contractual obligations mean that companies are obligated to retain personal data for a specific amount of time. The aforementioned erasure obligation enters into force at the end of this period.

Article 18 GDPR (right to restriction of processing) also applies. This states that, under certain conditions, the data subject is entitled to request that the data controller restrict processing.

Article 30 GDPR (records of processing activities) provides for the record to include the envisaged time limits for erasure of the different categories of data (where possible).

Finally, the erasure procedures set out in the new Federal Data Protection Act (§ 35 Right to erasure) also apply.

An erasure concept have now to acknowledge and implement all of these stipulations and obligations.

This is an extremely complex task, which is why a step-by-step approach and the use of a guideline is advisable.

Guideline for development of an erasure concept

The DIN 66398 standard provides recommendations on the content, structure and responsibilities in an erasure concept for personal data.

It describes procedures that can be applied to determine erasure time limits and rules for different types of data.

The following terms have a role to play when applying the standard in developing an erasure concept:

Term Definition
Data type All data processed for a common purpose
Erasure time limit Period of time after which the data should (generally) be erased, taking account of contractual and legal retention periods
Starting point When the period for the erasure time limit begins
Erasure classes Summary of data types by erasure time limit and starting point
Erasure rule Rule for each erasure class
Implementation rule Provides further detail on the erasure rule, taking account the technology used
Responsibilities Defined for the implementation of the erasure as well as for the creation and maintenance of the erasure concept

The road to an erasure concept

The key steps that a company should take to create its own erasure concept in accordance with DIN 66398 are:

  • Determining the data types that exist in the company’s databases
  • Summarising the data types into erasure classes
  • Defining erasure rules for the data types
  • Defining concrete implementation rules
  • Defining the people responsible for implementation
  • Documenting the steps taken and to be taken and maintaining the documentation

Completing an erasure concept

As a survey by TÜV Süd has shown, things aren’t looking good with many companies‘ erasure concepts: the TÜV Süd data protection indicator (DSI) shows that around half of those surveyed do not have any clear regulations on the blocking or erasure of data that are no longer required.

It is to be feared that some companies have no general idea

  • what has to be erased when,
  • where the data are located and
  • how they were distributed.

With this in mind, it is high time to put erasure concepts under the microscope – not just in preparation for the GDPR, but also in order to ensure compliance with existing data protection law.

Oliver Schonschek
Oliver Schonschek holds a degree in physics and is an analyst and specialist journalist in the fields of IT security and data protection.