Data destruction according to the GDPR

Personal records - data protection also applies to waste disposal

The 2018 EU General Data Protection Regulation presents companies with both major challenges as well as opportunities. Demonstrating clear respect for personal data in particular can be a considerable image booster, providing customers and suppliers peace of mind. However, there are certain areas within some companies that are often overlooked but hold significant importance in terms of data protection. One such area is the proper handling and secure destruction of personal documents.

Improper disposal or destruction of documents and storage media can lead to alarming incidents that make headlines. For instance, a Berlin social counseling service discarded reports containing sensitive personal data related to mental illnesses and care needs in regular waste bins. Similarly, used hard drives from public authorities were found available for sale on online platforms, potentially containing highly sensitive data.

These incidents have severe consequences, including a significant loss of trust and the possibility of facing sanctions!

Personal records - companies must pay attention to this

The new General Data Protection Regulation (DSGVO) regulates the handling of data and information containing personal data. The collection, storage and further use of data is subject to rules, the disregard of which can result in fines and a loss of image. Compliance with the GDPR is not solely crucial for day-to-day business operations; it also encompasses the proper handling of data deletion and destruction. The regulations cover not only digital data but also paper documents that contain personal information. The GDPR applies to both electronic and physical data, emphasizing the importance of securely deleting and disposing of all forms of personal data.

What are the requirements for document destruction?

The destruction of documents in companies is subject to the security levels of DIN 66399. For the company, this means that there is a regulation that prescribes the type of shredding of the documents and thus ensures legal security. The security level of a shredder or document shredder is determined by the minimum size of the shredded particles, which must meet the requirements set forth by the GDPR. Document shredders typically indicate the applicable DIN security level. These security levels also specify the type of data involved and how it should be handled. There are three defined levels: the first level pertains to general data, while level three corresponds to classified or sensitive data. 

The GDPR provides the following distinctions for the following levels:

Level 1 - internal company data (product overviews, flyers...)

Level 2 - confidential data (personnel data, accounting records, tax, balance sheets...)

Level 3 - secret data (patient data, health data, research information...)

If documents of security level 3 are to be destroyed, it must be ensured that the documents cannot be reproduced, or can only be reproduced with considerable effort.‍

What role does a data protection officer play in document destruction?

If more than nine employees are employed in a company and have access to personal data, an internal or external data protection officer must be appointed. The data protection officer has the task of ensuring that documents are destroyed properly and in compliance with the law. The data protection officer must decide whether to commission an external service provider to carry out legally compliant document destruction or whether all prescribed processes are adhered to internally.

The external disposal of files

Engaging a professional service provider offers several advantages for companies, particularly in ensuring lawful and compliant destruction of files in accordance with data protection regulations. The use of an external service provider eliminates the need for expensive investments in specialized document shredders, especially for the disposal of highly sensitive data.

The workforce will greatly welcome the use of an external service provider, as they also provide consulting services and thus unclear cases can be clarified through the short official channels. Helpful support can be offered here, especially when it comes to classification into the various security levels. At the same time, the files can also be handed in in their original form, eliminating the need for tedious filing out of individual sheets.

Destruction of digital storage media

Companies often use various storage media that often contain sensitive data. Examples of such media include USB sticks, DVDs, CDs, hard drives, and smartphones.

It is important to note that some printers are also capable of storing personal data, which must be properly deleted!

Memory media that store sensitive data are often no longer in use and need to be disposed of. Simply deleting the data is insufficient, as skilled computer professionals can potentially recover deleted data and gain unauthorized access to personal information. Therefore, complete destruction of the storage media is necessary. This can be achieved by using a document shredder with an appropriate security level. Alternatively, engaging a professional service provider that follows the guidelines of DIN 66399 for data media destruction offers a secure and reliable solution.

Deleting personal data - the implementation

If a consumer demands that a company delete his or her personal data, a company must take a number of steps to ensure that the process is legally compliant. If no deletion concept is in place here, this can result in fines and a loss of image.

• Without a concept, the deletion of erroneous data might occur.
• Erroneous deletion of data used in multiple systems can obscure connections and compromise data quality.
• Failure to carry out the requested deletion may lead to potential fines.
• Deleting documents that are still subject to statutory retention periods can have serious consequences.
   

For these reasons, a company should delete personal data according to a data protection-compliant concept.

A data protection-compliant deletion process involves the following essential steps:

• The complete identification of personal data processing is essential.
• Proper documentation of all data and categories, including adherence to retention periods, is necessary for a thorough deletion process. Without this foundation, secure data erasure is impossible.
• Identification of all systems and interfaces involved is crucial for an accurate deletion process. Underestimating this step is common but given the presence of complex IT systems in companies and authorities, it should be regarded as a complex task.
• Availability of proof for completed deletion is imperative to ensure a successful and legally secure deletion process.