GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Written procedures

Procedures for erasure of personal data

It is important that companies have written procedures for the erasure of personal data, to ensure that the erasure takes place in a timely and correct manner. 

What is the erasure of personal data?

Erasure of personal data means that companies delete personal data. Alternatively, anonymize them. The basic data protection principle of storage minimisation means that personal data may not be processed for longer than necessary. This is the main reason why companies must erase personal data when it is no longer necessary to process it. 

Companies should have different written procedures

It is important for companies to be able to demonstrate that they comply with the GDPR in practice, as it is a requirement of the GDPR according to the principle of accountability in Article 5(2) GDPR. For example, companies need to have certain written GDPR-related agreements and documents. Written procedures can be an effective way to ensure that employees at the company comply with the rules of GDPR in practice. Procedures should include answers to these four questions: 

  • What: What employees should do. 
  • When: When employees do it. 
  • How: How the employees will do it. 

  • Who: Who in the company is going to do what. 

What breaches of the GDPR can lead to an administrative fine?

The exact procedures that companies need or that may be appropriate vary

The exact procedures that can be good for companies to have vary from case to case. The more employees and departments the company has, the more procedures are usually appropriate to establish. Examples of other procedures that may be appropriate for companies to have are procedures for: 

  • Fulfilling data subjects rights upon request
  • Onboarding and offboarding of employees
  • Sharing data internally between employees
  • Obtaining and withdrawing consent 
  • Social media management and photography

Erasure of personal data when it is no longer needed for the purpose

Companies shall erase personal data when the company no longer needs it for the purpose for which it was collected. Please note, however, that there may be laws that require further processing. In some cases, companies must continue to process personal data due to a legal obligation to which the company is subject. In other words, because the processing appears as a requirement in a law. For example, companies need to process invoices and receipts for a certain number of years under national accounting law. 

Businesses must, among other things:

Erase personal data when it is no longer needed for the purpose, unless there is a legal obligation that requires continued processing.

Be able to show when and how the erasure of personal data takes place. Therefore, it is good to have written procedures for erasure and always log completed thinning.

Erasure of processed personal data can reduce possible consequences in the event of personal data breaches

The fewer personal data a company processes, the lower the level of risk of possible consequences in case of personal data breaches. 

What can a procedure for erasure of personal data contain?

Identifying personal data

It is important to first of all identify where all the personal data that is processed is located, and then be able to remove it from the storage sites. For example, which systems, databases, digital folders and the like contain personal data.

What is the definition of anonymised data?

Deadlines

Personal data must be erased regularly and it is therefore good to specify concrete deadlines in the procedures. For example “last Friday of each quarter”. Please note that if a data subject requests the erasure of his or her personal data that the company processes, the erasure must take place as soon as possible.

Sensitive personal data according to GDPR

Distribution of roles

It is important to specify who will erase which personal data from which systems. If it is unclear, the risk of erasure not occurring increases. For example, a specific employee should be responsible for erasing personal data from the financial system, the company's general e-mail address for external communication, etc.

Subjektivt integritetskänsliga personuppgifter

How the erasure is to take place

Erasure of personal data does not necessarily mean that the company deletes the personal data. In some cases, the company may anonymize them. Personal data that has been anonymised is no longer covered by the GDPR. It is good that the procedures clarify how the erasure should be done in a correct and safe way.

Measures that companies need to take to comply with GDPR

Documentation

The erasure of personal data should be documented, in order for the company to demonstrate compliance with GDPR in practice. For example, in a erasure protocol or a erasure logbook.

Learn more

Procedures to comply with data subject rights

Data subjects have a number of rights under the GDPR that companies need to be able to fulfill upon request. In order to ensure that it is done correctly, such as within the stated deadlines, it is good to have written procedures. In addition, it is important that the right people have access to the procedures. For example, customer service employees usually get questions about erasure or rectification of personal data of data subjects, and therefore it is good if they have procedures for how to proceed.

Want to learn more?

Read more
Scroll to Top