Deletion of data according to the GDPR (The Commissioner for Data Protection in the German federal state Bavaria published a guideline for German companies).

The GDPR contains a deletion obligation for data controllers in Art. 17 GDPR.

However, the implementation is extremely complicated for companies and causes great challenges in practice, as Art. 17 GDPR only contains abstract requirements. Recital No. 39 of the GDPR only states that the retention period for personal data should be limited to the minimum necessary. The GDPR, on the other hand, does not contain any concrete regulations and maximum limits for the duration of the storage of personal data, but is linked solely to the criterion of necessity and thus to a consideration of the individual case (OLG München, decision of 19.08.2022 - 36 U 3907/22).

This circumstance causes a major problem for companies, as they are generally not in a position to legally assess how long they may store the respective data. However, the correct implementation of the deletion obligation is in the focus of the German supervisory authorities, and is particularly evident from the fact that they have been imposing high fines on companies since the enactment of a new fine model (see our article: https://www.skwschwarz.de/en/details/new-fine-model-published).

The Commissioner for Data Protection in the German federal state Bavaria has therefore prepared guidance on the right to deletion under the General Data Protection Regulation and explained the right to deletion of personal data based on Article 17 of the GDPR. The guidance is available here (German only): https://www.datenschutz-bayern.de/presse/20220620_Recht_auf_Loeschung.html

However, in terms of the scope and depth of content of the processing, the guidance is more of a commentary on Art. 17 GDPR. In this respect, this guidance still does not conclusively clarify how the concrete implementation or the structure of a deletion concept is to be carried out. Companies are therefore still faced with the major question of how a legally compliant implementation of the deletion concept must look in order to avoid becoming the addressee of high penalty notices.

SKW Schwarz has been successfully advising numerous companies of all sizes on the implementation and realization of deletion concepts for many years. Feel free to contact us at any time regarding the implementation of deletion concepts!

Author: Marwah Kamal, Associate