On 30 October 2019, Berlin’s Supervisory Authority (SA) issued a 14.5 million EUR fine against Deutsche Wohnen SE, a German real estate company, for storing tenants' personal data. It all started in 2017, when the SA investigated the company following a complaint from one of the tenants. It was discovered that the systems did not allow the deletion of obsolete personal data. Furthermore, highly personal information, such as health insurance and social security data, extracts from employment contracts, as well as creditworthiness data were retained for longer than it was necessary to fulfil the purpose for which the data was collected. Hence, the investigation into Deutsche Wohnen concluded that the company stored personal data of tenants “without checking if this was legal or even necessary”. The subsequent fine, which is the highest imposed so far in Germany, highlights the next wave of priorities in regards to data deletion and highlights the importance the SA places on compliance.
In practice, however, the implementation of robust data deletion measures within organizations is not as straightforward as it may seem.
The General Data Protection Regulation (GDPR) describes "deletion" as the process that makes data completely inaccessible and unusable by the users concerned. Deletion of data can take place in different ways, such as:
These deletion techniques are linked to the GDPR principle of storage limitation according to which personal data must not be kept for longer than needed for the purpose for which it was collected. The GDPR does not indicate specific time limits for different types of data. Therefore it is up to the companies storing the data to set them. This is means that the time limits set will depend on how long the data is needed for the specified purposes the company has collected them for. This requires implementation of standard retention periods, which have to balance local legal requirements (for example, tax and labor laws) with the GDPR, as well as periodical reviews of the data held within the systems.
On top of the implementation of the above-mentioned practices, a common challenge within organizations in regard to data removal is to map where the personal data to delete may have been stored, which systems exchange data with each other and how as well as who has received the data and who, if necessary, has to be notified about the deletion request.
What may still seem feasible in a monolithic-centralized IT infrastructure is in reality not such an obvious practice within companies, where very often a variety of data processing systems are involved.
On top of this, the introduction of new technologies - such as cloud computing, virtualization at all levels and outsourcing of entire business processes - does not ease the process.
In a nutshell, good removal practice is not only about choosing the right deletion method. It is important to highlight the necessity for organizations to develop a clear vision of their whole IT landscape, set up a clean and structured data base, as well as understand the multiple purposes to which the data sets are linked. This strong baseline is necessary to set realistic retention periods, ensure timely response to right to erasure, and to implement efficient data removal procedures. Those shall be integrated and reviewed on a regular basis to avoid unnecessary aggregation of personal data and ensure continuity in the long run.
As the Berlin case demonstrated, deletion policies and practices are closely investigated, while strict sanctions put the accent more than ever on the importance of the topic towards compliance.
Do you have specific questions related to the deletion of personal data or the setting-up of data retention schedules? Our specialists are able to assist on this and much more. Contact us via firstname.lastname@example.org