Data destruction according to the GDPR

Whether it's customer data on an old laptop, application documents in the recycle bin or cloud backups - data is stored quickly, but the “right” way to delete it is often forgotten. It's not just about tidiness or storage space. If personal data is deleted incompletely or improperly, you risk serious data protection violations.

The GDPR stipulates that personal data may only be stored for as long as it is required for a legitimate purpose. As soon as this purpose no longer applies, the data must be deleted or destroyed - in compliance with the GDPR, in a traceable and verifiable manner.

However, many companies fail at precisely this point: backups are not taken into account, paper files remain in the archive or outdated databases are ignored. Yet data destruction is a central component of a functioning data protection management system.

The General Data Protection Regulation (GDPR) obliges companies to minimize data and limit storage (Art. 5 para. 1 GDPR). As soon as data is no longer required for its original purpose, it must be deleted - securely.

Right to erasure (Art. 17 GDPR):

Data subjects have the right to request the erasure of their data if:

• the purpose of the processing no longer applies,
• consent has been withdrawn,
• data has been processed unlawfully,
• or there is a legal obligation to erase.

• Deletion: Data can no longer be found or reconstructed.
• Destruction: Data is physically or technically destroyed in such a way that it can no longer be recovered (e.g. by shredding or secure erasure software).
• Anonymization: Data is changed in such a way that it can no longer be assigned to a person.

Deletion alone is often not enough - destruction is necessary for particularly sensitive data or physical carriers.

There are various situations in which the GDPR requires the complete erasure or destruction of personal data. The most important ones are explained in detail here:

1. After expiry of statutory retention periods
Many data, especially from accounting, must be stored for a certain period of time for tax or commercial law reasons (e.g. 6 or 10 years). Once these periods have expired, not only is there no longer an obligation to store the data - there is even an obligation to delete it. If the data continues to be stored, this is a violation of the GDPR.

2. Withdrawal of consent
If a data subject has given their consent to the processing of personal data, they can withdraw this at any time. From this point on, the data may no longer be processed and must be deleted or destroyed unless there is another legal basis.

3. If the purpose no longer applies
If the data has fulfilled its original purpose, e.g. after completion of a project or an application, its storage is no longer justified. It must therefore be deleted or destroyed. Good data management ensures that such cases are regularly identified and processed automatically.

4. In the event of a successful request for information or request for deletion
Data subjects have the right to request information about their stored data and to request its deletion (Art. 15 and 17 GDPR). If this request is granted, companies must delete or destroy the data concerned completely and securely - including from backups, if technically possible.

5. When changing the data processing service provider
If a cloud service, HR software or other external provider is changed, personal data must be deleted or destroyed by the previous service provider. Important: This should be regulated in the data processing agreement (DPA) and also documented in a verifiable manner.

1. physical carriers (paper, USB, hard disks):

• Shredding according to DIN 66399
• Demagnetization
• Thermal destruction

2. digital data:

• Secure deletion software (e.g. according to BSI standards)
• Complete deletion of backups
• No simple "deletion" via recycle bin or formatting

3. cloud services & external providers:

• Contractual regulations for data erasure (DP contract)
• Select GDPR-compliant providers

1. "Delete" without true irretrievability
Many companies rely on simply pressing the "delete" button or moving files to the recycle bin. But such methods are not enough to destroy data in compliance with the GDPR. In many cases, data can be restored with little effort - a real risk in the event of data breaches or audits.

2. No documentation of the erasure process
The GDPR requires companies to make the handling of personal data traceable. Without comprehensible documentation of when, how and by whom data was deleted, there is no proof of compliance in case of doubt - a frequent point of criticism in data protection audits.

3. Data residues in backups or shadow IT
Backups are often forgotten - even though personal data is also stored there. If data is deleted in the live system but remains in backup copies or uncontrolled systems (e.g. Excel lists on private devices), this is a violation of the storage principle of the GDPR.

4. No clearly defined erasure concept
Without structured processes and responsibilities for data erasure, there are gaps in data protection management. A deletion concept defines standards, responsibilities and deletion deadlines - if this is missing, data destruction quickly becomes a gray area in the company.

The GDPR requires traceability and verifiability. You should therefore document:

• Which data was deleted and when
• Which methods were used
• Who is responsible
• Whether deadlines were met

A deletion concept helps you to systematically implement all requirements.

• Collecting data: Which personal data is available where?
• Check retention periods: Which data may/must be destroyed?
• Select a suitable method: Paper, hard disk or cloud?
• Document deletion: Time, method, person responsible:r
• Check regularly: Is your erasure concept up to date and effective?

What happens if I don't destroy the data in time?
You risk fines and warnings, especially in the event of security incidents or requests for information.

Is it enough to simply delete data?
No. In many cases, data must also be made technically or physically inaccessible (destruction).

What is a deletion concept?
A deletion concept is a documented plan of how, when and by whom data is destroyed in compliance with the GDPR.

How often do I have to delete data?
Regularly - ideally through automatic deletion deadlines and internal audits.

Can heyData support me with the implementation?
Yes. From analysis and tools to erasure, we will guide you through the entire process in a legally compliant manner.