Retention and deletion periods according to the GDPR
Companies collect vast amounts of data in their day-to-day operations, which they process, modify and store. The information collected is used to generate profits, which can benefit both companies and consumers: Companies can tailor their products to consumer preferences, and consumers benefit from tailored advertising and valuable products.
But it also gives companies many customer data that allows them to identify individuals. To minimize the power associated with this knowledge and protect data subjects, the legislator provides not only retention periods but also deletion periods within which specific data and information must be destroyed.
For companies, this means effort and diligence because those who delete data too early or too late risk sensitive penalties. We will show you which data type must be deleted and which retention periods apply in this article.
The most important facts in brief
- The data must be deleted when the data processing purpose is fulfilled, which usually applies immediately. But data must also be deleted if data subjects revoke their consent.
- There are retention periods, especially in tax or criminal law. It is explicitly prohibited to delete personal data before these retention periods expire.
- Every data subject can consent to data processing and revoke this at any time. This removes the right for the company to retain the data unless there is another legal basis.
Deletion periods according to the GDPR
Even before the introduction of the GDPR, there were rules on deletion. “The right to be forgotten” – as the Federal Constitutional Court once put it – was already found in the German Data Protection Act before. Nevertheless, the GDPR has brought some innovations because it unifies the regulations on data protection at the EU level.
According to the GDPR, there are two reasons for deleting the collected data (Article 17 GDPR):
First, when data subjects revoke their consent to the collection and storage of data and thus request that the data be deleted. Additionally, the data subject can demand the deletion of the data if there is a reason for deletion under the GDPR. Thus, for data to be collected accordingly, the consent of the relevant parties is required.
On the other hand, deletion must always occur when the data processing and storage purpose has been fulfilled or ceased to exist (Article 5 GDPR). Example: In a medical institution, data may only be stored for as long as it is necessary to treat patients.
In some cases, however, this is opposed by the statutory retention periods (more on below). For example, in the case of company audits: Paid and booked invoices are no longer required for processing but must be retained for the said audit.
Therefore, the necessity of data storage must be known to comply with deletion deadlines. In the case of invoices, for example, it is not only a question of whether they have already been paid. In case of doubt, there are also guarantee or warranty periods that must be observed.
In addition to the necessity, companies must also be aware of the relevant retention periods that may prevent deletion. Companies should also always be sure of the storage locations and media so that data is not lost and deletion can occur properly.
What are deletion periods? Deletion periods are specific time windows after which the collected data must be deleted again. Thus, deletion periods for different data types can result from various legal requirements, such as the GDPR and other laws and standards.
Overview of GDPR deletion periods
The legislator has stipulated that the deletion periods should also be written down in the record of processing activities. This should provide a better overview and help to maintain compliance with the defined deadlines.
There is no one-size-fits-all answer as to when data must be deleted. In contract law, for example, it is advisable to be guided by the relevant limitation periods. The current statute of limitations is 3 years (§ 195 BGB) and begins to run at the end of the year the claim arose.
An example: If a claim arises in January 2022, the limitation period begins to run on 01.01.2023 and ends on 01.01.2026.
Caution: There are other statutes of limitations in the German Civil Code – for example, for tort claims. Here, limitation periods can extend to up to 30 years. Therefore, use the statute of limitations only as a guideline and not as an absolute.
In case of doubt, exceptions may apply. For example, if the purpose of the processing has not yet ceased. This means: under certain circumstances, data may be stored longer if necessary for the assertion, exercise, or defense of legal claims.
However, this always requires weighing interests in the individual case. Companies must always ask themselves how likely the claims will be asserted and what interests on the part of the data subjects are opposed to this.
Important: To prove that proper deletion has occurred, you should always carefully document the deletions. Our data protection software helps you to create protocols.
What is a deletion concept?
The strict requirements of the GDPR and the complex regulations, exceptions, and individual cases are challenging to realize and implement without a deletion concept. A deletion concept regulates when and how the personal data collected in a company should be deleted. A deletion concept helps to define a separate legally compliant framework for data processing.
The deletion concept is closely linked to the record of processing activities:
- First, it must be determined where personal data is collected and processed in the company.
- In addition, who is responsible for this data processing must be clarified.
- Besides the various systems used internally in a company, it is essential not to forget to include external service providers’ data collection and processing in this record.
- Once an overview of the totality of data and processing has been created, the various data must be categorized. For example, data on health, religion, or political attitudes are different categories for which there are different regulations.
- Once categories have been found and the individual data sets are assigned, deletion rules should be created. Deletion rules define the start time of the deletion periods and the deletion period for the different data categories. Exceptions to this can also be formulated, which the responsible parties take into account during their work.
What are the penalties for improper deletion?
Anyone who does not delete data on time commits a legal violation that can be punished with a fine. The fines range is up to 20 million euros or 4% of the previous year’s turnover of the entire group of companies, which is the usual EU amount.
Tips for data deletion
There are several tips you can take to heart in your business to ensure legitimate deletion:
- The record of processing activities should be complete and include mandatory retention requirements.
- Companies should clearly record where is which data stored and processed to keep track of it.
- There should be an internal deletion guideline or concept observed within different areas of the company.
- Data protection officers should be able to monitor deletions and access the necessary areas.
- Deletion deadlines should be respected.
With the Priverion premium features, we offer retention and deletion libraries. This allows you to load the applicable deadlines for over 150 countries quickly. Your IT administrators will always know which deletion deadlines to check by linking the systems. We will happily explain how the Priverion data protection platform facilitates deadline management during a demo appointment.
Retention periods according to GDPR
After the expiration of the deletion periods, no more than 6, maximum 12 months, should pass before the data is deleted. Irrespective of this, however, some retention periods supplement or contradict the general deletion periods.
Retention periods determine how long documents must or may be kept. This means that deletion periods can be pushed back or extended.
Good to know:
Retention periods generally apply to persons who are required to keep accounts. In particular, tradespeople must comply with retention obligations under tax law (e.g., § 147 AO (Germany)) or commercial law (e.g., § 257 HGB 8 (Germany). On the other hand, private individuals are not affected by the retention periods but should retain important documents, receipts, and invoices (evidential documents) for several years.
What are GDPR retention periods?
Retaining certain business documents is mandatory over a certain period; this is regulated by the retention periods. As in the BGB, the period begins with the end of the calendar year in which the last entry was made.
The stipulated periods can, therefore, always start to run again if entries have been added. The documents concerned include the following:
- Last previous bookings
- The inventory
- The opening balance sheet
- The annual accounts
- The inventory report
In the case of business letters and accounting documents, the period begins at the end of the year in which they were received/sent, or created.
Regarding legal periods, there is a distinction between 6 and 10 years retention periods. Tax documents, for example, must be retained for 6 years, and annual financial statements and other balance sheet documents for 10 years.
This means that in 2022, those documents created or received by December 31, 2015 (6 years) or December 31, 2011 (10 years) must be destroyed.
GDPR: All retention periods at a glance
Depending on the document and the regulation, the retention periods turn out differently, which makes the correct deletion a real challenge.
Every year, the Chamber of Commerce and other institutions compile lists of the relevant documents and the current retention periods. Below we provide an overview of the most important documents and their retention periods:
| Billing documents | 10 years |
| Assignment declarations | 6 years |
| Employee insurance | 10 years |
| Outgoing invoices | 10 years |
| Certificate of incapacity for work | 5 years |
| Retention regulations for company EDP documentation | 10 years |
| Bank documents | 10 years |
| Operating cost invoices | 10 years |
| Hospitality documents | 10 years |
| Accounting vouchers | 10 years |
| Standing order documents (after the expiry of the order) | 10 years |
| Input descriptions for computerized accounting | 10 years |
| Export documents | 10 years |
| Travel expense reimbursement documents | 10 years |
| Annual reports | 10 years |
| Commercial books | 10 years |
| Main financial statement | 10 years |
| Financial statements with notes | 10 years |
| Cash reports | 10 years |
| Cash slips (as far as no accounting vouchers) | 6 years |
| Bank statements | 10 years |
| Delivery bills | 6 years |
| Wage slips | 10 years |
| Rental documents | 10 years |
| Price lists | 6 years |
| Litigation files | 10 years |
| Receipts | 10 years |
| Correspondence | 6 years |
| Money orders | 10 years |
| Interim financial statements | 10 years |
Retention periods: Implementing data protection in a legally compliant manner
During the entire retention period, the relevant documents must be kept in a legible form. The individual document types must be checked to determine whether and which legal retention periods apply and when corresponding deletion periods exist.
For this purpose, an up-to-date record of processing activities and deletion concept should always be created and maintained to maintain an overview and ensure proper and legally compliant deletion.
After the retention period has expired, further retention may be necessary, and there may be a purpose for storing the data. This is not precluded by the retention period in detail. After the retention periods have expired and no further retention is necessary either, the deletion period of 6 to maximum 12 months begins.
Here there are various ways and possibilities to destroy the data in a legally secure manner:
- Deleting data and shredding papers does meet the requirements of the GDPR. However, sensitive and personal data must be destroyed in a legally secure manner so that no other person – internally or externally – can access the data and information.
- For this purpose, a corresponding DIN standard provides information about destruction in accordance with data protection (DIN 66399). If external third parties destroy data, i.e., a company engaged specifically for this purpose, this is a case of commissioned processing. According to Article 28 of the GDPR, there is a legal obligation to have a written order processing contract.
Conclusion
Deletion and retention periods are complex and challenging to understand. In case of doubt, there are no clear rules – deletion must always occur on a case-by-case basis, for example, if the purpose of storage no longer applies or the data subjects request deletion.
Especially when deletion and retention periods collide or overlap, things can quickly become confusing. It is generally a good idea for companies to create and maintain deletion concepts.
At first, a deletion concept means much work. However, much of this can also be gleaned from the record of processing activities if one already exists.
In the long term, though, deletion concepts shed much light on the darkness: they create an overview of existing data and their processing, assign responsibilities, and categorize data and their deletion periods.