Protect your data and comply with the GDPR!
Deletion concept according to GDPR
The GDPR deletion concept strengthens user trust and data security by prescribing clear deadlines and rights for data deletion. It restricts data collection by companies through precise deletion guidelines. heyData supports you in creating a reliable and lawful deletion concept.
Table of Contents
A deletion concept is a systematic procedure for removing personal data from an organization's records once the required retention period has expired.
To comply with data protection regulations, organizations must establish an internal data deletion plan. This plan should include specific time periods for the deletion of different types of personal information and regular reviews to ensure that data deletion is justified. All deletion periods must be clearly documented in the company's records.
- Individual right: The GDPR gives individuals the right to ask organizations to delete their personal data under certain conditions.
- Conditions for deletion: Organizations must delete personal data if:
- they are no longer necessary for the original purpose of the collection
- the data subject withdraws consent.
- unlawful processing of the data has taken place.
- legal obligations require the deletion of data.
- data has been collected from a child without appropriate parental consent.
- Exceptions: There are cases in which organizations are not obliged to delete data, for example if it is needed for legal purposes, to exercise the right to freedom of expression or for reasons of public health. As set out in Article 17 of the GDPR.
- Retention obligation: Another exception is when retention obligations apply. In these cases, the organization is not obliged to delete the data as soon as it is no longer needed for the purposes of processing, but only when the retention period has expired. An example: In Germany, tax-relevant documents must be retained by an organization for up to 10 years.
- Responsibility: Organizations have a responsibility to set up processes to respond quickly to deletion requests.
- Data minimization: The GDPR encourages organizations to collect and store only the data necessary for the intended purpose in order to reduce the need for subsequent deletion.
The right to deletion strengthens individuals' control over their data and protects companies from data breaches. Genuine erasure helps to comply with data protection regulations and maintain user trust.
We know that implementing an effective deletion policy can be a challenge, especially for companies facing an ever-evolving data protection landscape. Our experts are available to provide advice and guidance to ensure your business not only remains compliant, but secure.
Our approach at heyData
We support our clients by developing a retention and deletion process where we:
- identify the standard procedures for archiving and retention periods
- determine and map the relevant data categories and data objects
- define a customized implementation process
Let's create or optimize your data deletion concept together.
Hear it From Our Customers
"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."
Markus Schobert
Head of Customer Service at BRZ Gruppe
"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."
Leonard von Kleist
CTO & Co-Founder at Hive Technologies GmbH
"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."
Jan Stephan
Head of Legal Affairs at Learnship
"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."
Roman Georgi
Director Of Customer Support at AMBOSS
“What sets heyData apart is its responsiveness and rapid implementation.”
Sandra Scherzer
Legal department at Bioland
"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."
Nikolai
CTO at Instaffo GmbH
Frequently asked questions
A deletion concept under the GDPR is a systematic plan that defines how personal data that is no longer required or whose retention period has expired is deleted securely and in compliance with data protection regulations. It ensures that data is only stored for as long as necessary and supports compliance with the data protection principles of the GDPR.
An erasure period is simply the period of time set for the final deletion of certain types of data or personal information. This period is determined by the start of data processing and the specified retention period. Legal obligations for certain types of data can also contribute to the definition of deletion periods.
In order to fulfill documentation and accountability obligations, it is crucial to regularly review and update the deletion concept. Regular reviews ensure that the deadlines for deleting personal data are not only met, but also remain up to date.
Inadequate data processing in your company in accordance with GDPR standards can have serious consequences. Initial non-compliance may result in a warning, but if the inadequate practices continue, it can lead to more serious consequences, including possible reprimands, temporary or permanent bans on data processing and significant financial penalties of up to €20 million or 4% of the company's annual global turnover.
An effective deletion concept includes identifying all personal data that your company processes, defining retention periods based on legal requirements and the purpose of the processing, and implementing secure deletion procedures. Regular training for employees and the establishment of procedures for reviewing and updating the concept are also important.
Yes, the GDPR stipulates that personal data must be securely erased in both digital and physical form. Digital data should be deleted in such a way that it cannot be recovered, and physical documents should be destroyed in such a way that the information is no longer readable.
Carefully review the request, identify all locations where the data in question is stored, and delete the data according to your deletion policy. Document the process and inform the requester that the deletion has been carried out.