DELETION OF PERSONAL DATA
Introduction
The right to be forgotten service (GDPR) has been in effect since May 25, 2018. Since then, companies must have taken all the measures required to implement the General Data Protection Regulation. This includes in particular the creation of a concept for the deletion of personal data.
“Delete” means making stored personal data unrecognizable. Article 17 of the GDPR also enshrines the so-called right to erasure (“right to be forgotten”), which is one of the main reasons for the creation of the GDPR. In addition to the DS-GVO, the national legislator has made use of the opening clause provided for in the DS-GVO with Section 35 of the new Federal Data Protection Act (BDSG).
However, the facts of Art. 17 DS-GVO go beyond those of § 35 BDSG. Depending on the place of process, company now have to check when which data needs to be delete. Since May, fines of up to 4% of the total worldwide annual turnover or up to 20 million euros can be ordered for non-compliance with this obligation. At the same time, those affected can have a claim for damages against the person responsible or against the processor according to Art. 82 Para. 1 DS-GVO.
The implementation of Art. 17 DS-GVO is therefore unavoidable, also against the background of the threatening consequences in the event of non-compliance. 1 DS-GVO have a claim for damages against the person responsible or against the processor. The implementation of Art. 17 DS-GVO is therefore unavoidable, also against the background of the threatening consequences in the event of non-compliance. 1 DS-GVO have a claim for damages against the person responsible or against the processor. The implementation of Art. 17 DS-GVO is therefore unavoidable, also against the background of the threatening consequences in the event of non-compliance.
DS-GVO
According to Art. 17 Para. 1 DS-GVO, the person concerned has the right to have their personal data deleted if one of the requirements of Art. 17 Para. 1 DS-GVO is met. The right to be forgotten help is considered the core right of a comprehensive right to be forgotten (para. 2). Deletion can be request if the data is no longer necessary for the purpose for which it was collected (Art. 17 Para. 1 lit. a). A request for deletion is also justified if the data subject revokes their consent (Art. 17 Para. 1 lit. b). If the data subject objects to the processing, there is also a justified request for erasure in accordance with Article 17 (1) (c) GDPR, provided there are no overriding legitimate reasons for the processing. Art. 17 (1) lit. ac DS-GVO thus includes cases.
According to Art. 17 Para. 1 lit. d GDPR, immediate deletion must be carry out if the data process unlawfully. The fact of illegality is to be affirm if there is no reason for legality is. Art. 6 or Art. 9 DS-GVO apply or if the data process violates the DS-GVO for other reason (Recital 65). Article 17 paragraph 1 lit. d GDPR is relevant, among other thing, if the process contradict the principle of good faith.
Art. 17 (1) (f) GDPR represents a protection rule in favor of minors. Accordingly, there is a right to erasure if the personal data was collect in relation to information society service offer pursuant to Art. 8 (1) GDPR. Art. 8 DS-GVO refers to the condition for the consent of a child is. Art. 6 Para. 1 lit. a on data processing in connection with services of the information society is. Art. 4 No. 25 GDPR.
The opening clause according to Art. 17 Para. 1 lit. e GDPR
The opening clause according to Art. 17 (1) lit. e GDPR is striking. Thereafter, erasure of personal data may be require due to legal obligation under Union law or Member State law. Opening clauses are character by the fact that although they provide a corresponding framework, the specific implementation is still left to the member state.
The deletion obligations of Art. 17 DS-GVO were modify by the German legislator through § 35 Para. 1 and Para. 3 BDSG. According to this, the obligation to delete does not apply even if statutory or contractual retention periods conflict.
BDSG (new)
The right to erasure is regulate at national level from May 25, 2018 in the Federal Data Protection Act in § 35 BDSG (new). Accordingly, such a right does not exist if the type of storage is only possible with disproportionate effort and if the interest of the person concern in the deletion is to be regard as low. However, the person concern does not remain without right, but the data concern is block in accordance with Art. 18 DS-GVO. Section 35 (1) BDSG refers directly to the exceptional circumstance of Article 17 (3) GDPR.
A particular challenge in practice is the correct handling of unstrict data sets such as e-mail inbox. Due to the large amount of data, the verification of the obligation to delete requires a high level of personnel effort. However, companies must be able to guarantee the availability of personal data: According to Article 32 (1) (b) GDPR, it must be possible to access this data at any time in the event of a physical or technical incident. This results in a legal obligation to create backups. The problem can only be solved by comprehensively and precisely defining the purposes of the data processing Right to be Forgotten Meaning.
The retention requirement must also be observe when dealing with e-mail. Among other thing, e-mails can be use to prepare and carry out commercial transaction and thus qualify as commercial letter. Section 257 (1) no. 2 of the German Commercial Code and section 147 (1) no. 2 of the General Tax Code standardize an orderly storage obligation. However, commercial law does not stipulate a specific storage format.