All companies must delete personal data regularly in accordance with the GDPR, also known as the erasure of personal data. The GDPR stands for the General Data Protection Regulation (EU) 2016/679. According to the general rule of the GDPR, a company shall delete personal data when they are no longer necessary to process for the purpose for which they were collected. However, there are exceptions to this general rule. For example, the company may need to store the personal data for a certain period of time under some other legislation. In such case, the continued storage is permitted and legal.
Companies must delete personal data not only regularly, but also at the request of the data subject
A data subject have the right to request a company to delete their personal data. This right is also called “the right to be forgotten”. Data subjects always have the right to submit a request for erasure to companies that process their personal data.
The general rule according to the GDPR is the followig. A company shall delete personal data when they are no longer necessary to fulfill the purpose they were collected for. However, this is not the only case when a company may have to delete personal data. This may also apply when the data subject requests erasure. But, in certain cases, the company may have the right to continue the processing. This applies even if the data subject requests the erasure of the personal data.
Permitted retention and storage of personal data under GDPR
How long a company must process personal data is not specified in the GDPR. Instead, the company that is the data controller must make that assessment itself. The assessment shall be based on the circumstances of each individual case. When the set retention period expires, the company must erase the data. Therefore, companies must anonymize or delete personal data regularly to comply with the GDPR.
The starting point is that a company shall process personal data for as long as it is necessary to fulfill the purpose for which it was collected. However, there may be other laws, such as accounting laws or laws covering employers, that require the company to retain certain personal data for a certain number of years. In such cases, the company should store the personal data or the documentation in which the personal data appear. For example, a company needs to store invoices containing personal data during the time required by law (for accounting purposes).
Anonymized personal data is not covered by the GDPR
The company does not always have to delete personal data when it is no longer necessary for the purpose. Instead, the company can anonymize the data. Once the company anonymizes the personal data, it no longer constitutes “personal data”. Rather, it is then only “data”. Thus, the GDOR does not cover any anonymized personal data.
Personal data is considered to be anonymized when it becomes impossible to link the data to a specific physical living individual. Either directly or indirectly, alone or in combination with other data.
It is important to keep in mind that anonymization and pseudonymization of personal data are not the same thing. Pseudonymised personal data still constitutes personal data under the GDPR, and thus remains subject to the regulation.
Companies may continue to process personal data if they do it for:
- Archiving in the public interest.
- A research purpose that is either historical or scientific.
- Statistical purposes.
Please note that the company must take appropriate protective measures in regards to the processed personal data.
Establish internal procedures for the correct and regular deletion of personal data
In order to ensure that the company deletes personal data on a regular basis and is able to satisfy the right to erasure upon request from data subjects, the company should establish internal procedures. For example, procedures that describe how an employee should proceed when a data subject requests the deletion of its personal data. In addition, the company should have predetermined dates or intervals during the year where employees delete personal data from different storage locations. Examples of storage locations are the email inbox, email outbox, trashcan, backup files etc.
It is also an advantage to review the settings in the various systems the company uses. For example to set automatic times for deleting old file copies, inactive user accounts and similar.
To summarize this article, companies must delete personal data regularly to comply with the GDPR. A company must also delete personal data o the data subjects request, provided that there is no exception to this general rule. There are some cases where a company may continue to store personal data, even if the data subjects invoke the right to be forgotten under the GDPR. A common example, if storage of personal data is needed pursuant to other laws or regulations.