16.01.2021 I by Henrik Hasenkamp
According to the GDPR, companies must delete personal data when the business relationship ends. Laws such as tax law require long retention periods. An objection?
The General Data Protection Regulation (GDPR), which has been in force throughout Europe since 2018, regulates how companies should handle personal data. This presents them with a major challenge: on the one hand, they have to implement the GDPR organizationally and technically. On the other hand, however, contradictions repeatedly arise between the requirements of the GDPR and other statutory data retention obligations. Which regulation then applies to which type of data?
Personal data - much more than personal details
Even the question of what exactly personal data is is not easy to answer. For example, it is widely believed that it is personal information, such as customer data and the like. But the definition of personal data is much broader. It refers to all data that can be linked to a specific person. In practice, this can be very many: from contractual agreements to data from user tracking, such as purchase histories or surfing behavior, to e-mails, everything can be classified as personal.
Incidentally, it is irrelevant whether the linkage of data is actually established in a company. Even if it is theoretically possible, this is completely sufficient from a legal point of view. This is precisely what complicates the handling of such data in practice. Even if the link is only established via a third party, such as a business partner, the data falls under the GDPR. Even pseudonymization is not sufficient. For example, if plain names are replaced by sequential numbers, the link to the person behind the number can still be established. This means that even IP addresses in the log files of web servers are considered personal data. So even encryption does not help out of the jam: from a legal point of view, only a pseudonym is assigned here as well. Anyone who knows the key can view the data and draw conclusions.
GDPR versus retention obligations?
The DSGVO aims to protect personal data to a large extent. For example, personal data must be completely deleted when the purpose for storing it no longer applies. This leaves some room for interpretation. If a contract has been agreed between two business partners, such a basis is given - the storage and processing of personal data is necessary and permissible. But what happens when the business relationship ends? The actual reason for the data storage no longer applies. According to the GDPR, the data would have to be deleted.
However, this is opposed by retention obligations under other laws. Legal requirements such as commercial and tax law, the Energy Industry Act, the Banking Act and, last but not least, labor law define mandatory retention periods for business documents. A prominent example: Tax law stipulates that business-relevant data must be retained for up to ten years after the last accounting transaction. This includes contracts, invoices, quotations, order confirmations, payment documents and even internal as well as external e-mails that are relevant to the business relationship in some way. Warranty is another case where data does not have to be deleted even after the end of the contract.
It is true that the GDPR is deliberately formulated in a rather abstract manner in order to avoid concrete technical specifications. However, it does provide a solution for the contradiction described: if the data concerned is necessary to fulfill legal obligations, it may be archived. The relevant laws then automatically become the valid legal basis for this. In addition, the data protection authorities hardly accept any other reasons. A lack of organizational structures, for example, or a disproportionately high effort for deleting the data do not count.
How companies can protect themselves
In the practical everyday life of companies, the GDPR leads to concrete consequences. If a business relationship ends or - to use the words of the GDPR - the purpose for storing personal data no longer applies, it must be checked whether other legal requirements speak against deletion. If so, the data is initially archived and must be deleted, for example, at the end of the retention period under tax law. By then, however, the data has almost always long since migrated to archives.
Companies therefore need two things: First, it makes sense to have a kind of data processing directory that records all processes and assigns them to the various retention obligations. This records which data is stored and processed in the company and which of it is personal. A deletion concept should supplement the directory. It defines how exactly which data is to be deleted. This involves a great deal of organizational and technical effort, but it pays off in the event of audits by the data protection authority. Companies also need technical solutions that help them filter the right data at the right time from all systems, including archives and backups.
Legislators should make improvements
Things get particularly complicated when service providers are involved in the infrastructure. Only recently, the European Court of Justice (ECJ) overturned the EU-US Privacy Shield agreement. This defined data protection principles that U.S. companies had to comply with vis-à-vis EU citizens. The agreements had become necessary because the previously valid Safe Harbor agreement had already been declared invalid by the ECJ. Accordingly, both laws did not offer sufficient guarantees to bring them into line with the GDPR.
The original article in german can be found here.