In conflict: Data deletion rights vs. retention obligations

vom 24.03.2021

18.03.2021 I by Henrik Hasenkamp

If data protectionists have their way, companies must radically delete personal data after »use«. The tax authorities, on the other hand, would like to be able to check business transactions that are ten years old.

Sometimes a customer simply doesn't want to be a customer anymore. In the digital world, however, the customer has not disappeared from a company's field of vision - on the contrary. He has left behind plenty of data traces in the company's own IT systems as well as in the cloud environments: Address data, e-mail inquiries, invoices, delivery bills and much more.

These traces are important for companies even after the customer relationship has ended. The existing data is used to create balance sheets, write annual reports and fill out tax returns. In addition, companies have considerable retention obligations: Tax offices and other authorities want to be able to check the correctness of transactions even years later.

Tax-relevant data on business transactions with customers must be retained for up to ten years after the last commercial posting. This applies to accounting transactions as well as personal data. The tax office would like to know the originator of a payment - perhaps because he has included the invoice in the statement of his operating costs.

This is where a collision with data protection arises, because such information is usually personal data and therefore particularly protected. That is why, for several years now, everyone has had the right to erasure and oblivion, laid down in the European General Data Protection Regulation (GDPR). What is meant by this is: When the reason for storing data ceases to exist, companies must delete all personal data relating to the customer in question. This sounds simple, but it is not.

Personal data - not a simple case

But let's take it one step at a time. We are entering terrain with legal stumbling blocks here. The term personal data alone is defined quite broadly. It includes all data with which a link to a specific person can be established. In practice, therefore, significantly more data is personal than it appears at first glance. Thus, it does not matter whether the information is correct or incorrect, nor whether it is important, business-critical or sensitive. Even incorrect and seemingly unimportant information can be personal data.

In addition, it is not at all necessary for the legal assessment that a company actually establishes the link between data and persons in its IT. Even if such a relationship is theoretically possible, this results in personal data from a legal perspective. Moreover, it is not only the company itself that matters. Information and data that can be assigned to a person via contractual partners or other third parties also fall under the protection of the GDPR.

This definition is very broad and becomes a significant challenge for companies. Personal data can be found in all systems and applications, and now in cloud and multi-cloud environments that process and store business transactions at all. Only anonymized data, for example the aggregated statistical information in a business dashboard, is harmless. This is anonymized data that no longer relates to a specific person in any way. So we are talking about statements such as »90 percent of customers are satisfied with the product«.

Normally, this kind of information is obtained from data warehouses or data lakes with heterogeneous data that is also personal. This is because content from different data sources such as merchandise management systems, ERP applications and marketing tools, as well as multi-cloud storage, can be found there. An obvious idea now is to simply remove the details of the individuals - through pseudonymization. This involves replacing the plain name with a key, such as a sequential number. But even pseudonymized data is personal, since the reference can theoretically be re-established.

According to the European Court of Justice (ECJ) and the German Federal Supreme Court (BGH), it follows that even IP addresses in log files of web servers are personal. Admittedly, they are pseudonyms and cannot be traced back to a person using simple methods. But with the help of the public prosecutor's office, the connection owner and thus possibly the person who visited a website can be determined. Companies are still allowed to store log files, but they must treat them in accordance with the GDPR. It does not help to encrypt data. This is also considered pseudonymization from a legal perspective. If the key is known (which can be stolen), it is easy to establish the reference to a specific person.

The special significance of personal data also becomes clear with regard to its international exchange. Under the EU-US Privacy Shield, it was previously possible to transfer personal data of European citizens to companies based in the US. This is now changing, because following a decision by the ECJ, the agreement was found to be invalid. Reason: the law does not provide guarantees that would meet the strict requirements of the GDPR. In connection with the fact that software and cloud offerings in particular are often sourced from international providers, buyers will have to be even more vigilant from now on.

Right to data oblivion and obligation to archive

The basic rule of the GDPR is now that personal data must be completely deleted when the purpose for storing it no longer applies. In the case of companies, this is often a business relationship, for example based on a contract or a declaration of consent for data storage. For example, personal data is also stored from non-customers if they have given a declaration of consent to receive e-mails. This data must be deleted precisely when the declaration of consent is withdrawn.

Normally, a company can process and store personal data for as long as a contractual relationship exists. Otherwise, it must delete all of the customer's data. But when does a contractual relationship actually end? When the customer has terminated? There are good reasons to assume otherwise. Lutz Martin Keppeler, specialist attorney for information technology law at Heuking Kühn Lüer Wojtek in Cologne, cites warranty as an example: »Even after the end of a contractual relationship, there are often still legal warranty obligations of the company. For this, the storage of certain data continues to be necessary.«

Legal retention obligations are a similar case. They are regulated for different categories of data in special laws. These include, for example, commercial and tax law, the Energy Industry Act, the Federal Immission Control Act, the German Banking Act, labor law and more. The best-known deadline comes from tax law: it stipulates a retention obligation for ten years after the last accounting transaction.

This obligation applies to all documents and data relating to business transactions - such as invoices, quotations, order confirmations, payment receipts, contracts and much more. In principle, this also includes all internal and external e-mails in which there was any form of correspondence about the business relationship.

There is therefore a contradiction between deletion and retention obligations, but this can be resolved in favor of the special legal archiving periods. Thus, according to the GDPR, personal data may be archived if this serves to fulfill a legal obligation of the responsible party. Retention periods by law are thus given the legal basis for the continued storage of personal data.

So it's not as simple with data protection as the brevity of the EU rules suggests. There is a reason for this: »The wording of the GDPR in Article 17 is decidedly abstract and thus in need of interpretation«, says specialist lawyer Keppeler. »This also applies to the deletion of data. The GDPR does not specify exact details so that the legal rule is as technology-neutral as possible. After all, a standard should not only apply in certain situations.«

High fines without a back door

Companies are therefore forced to make data protection considerations for each individual case in order to meet all requirements. Otherwise, they run a considerable risk, because the threat of punishment under the GDPR is very high. The framework for violations is up to 20 million euros or four percent of global annual turnover. The higher amount is applied.

Since the EU regulation does not specify any criteria, the German data protection authorities agreed on a model for calculating fines at the end of last year. Since then, the amount of fines has been rising rapidly in practice. An internet provider, for example, was fined 9.5 million euros for a breach of organizational security measures in December 2019. A large real estate company was fined 14.5 million euros in November 2019 for failing to systematically delete legacy data of many tenants.

The last case is particularly interesting. Because the company had a reason for not deleting: Too much effort. This is no longer accepted in court, because there is no backdoor in the DSGVO as there was in the old Federal Data Protection Act (BDSG) before 2018, according to which data only had to be deleted if it did not involve disproportionate effort. This possibility does not exist in the DSGVO and the German legislator has not included it in the adapted BDSG either. More precisely, such a rule exists, but only for paper files, not for data carriers and cloud storage.

This has some consequences for companies. For example, e-mail archives and backups must also be taken into account when deleting personal data. Considerable technical effort is then required here. It is true that all IT applications have a delete function for their data, and there are now also data mining tools that scan e-mails and documents for personal data.

But the developers of backup systems have not yet given any thought to functions for deleting personal data. This is because, until 2018, the right to erasure was de facto inapplicable to complex databases, backups and clouds. Retrofitting a deletion option in »grown« systems is a considerable effort from a technical point of view, which providers are unlikely to be able to do in a hurry. In the case of software-as-a-service offerings, the provider must ensure from the outset that companies can adapt their application to the GDPR and their own compliance requirements if necessary.

Keeping the data lifecycle under control

»This situation is very confusing«, Keppeler summarizes. »That's why companies should prepare well for audits by authorities. To do this, they first need a data processing directory that records all processes. In addition, they need to develop a deletion concept that shows when which data will be deleted and how.«

In individual cases, this means a considerable amount of work for those responsible. The directory must be as detailed as possible and should be updated on an ongoing basis - it serves as a reference during audits by data protection authorities. This is also the place where the retention obligations are once again specified in detail.

The data processing directory provides information about what data is actually present in the company and which of it is personal. In addition, it should divide the data into different categories and indicate the retention periods that apply in each case. A deletion concept then specifies the exact criteria and the type of deletion. For example, it should specify which data is deleted by overwriting and how data carriers are destroyed.

Data Lifecycle Management (DLM) makes sense. This is a policy-based approach to managing data throughout its lifecycle - from the time it is created, to the time it is stored, to the time it becomes obsolete and is deleted. For this purpose, there are corresponding IT applications that automate all the processes involved. The advantage of such systems: Companies no longer have to deal in detail with deletion obligations and retention periods; the data is automatically deleted when certain criteria are met.

In addition, DLM can also be used to deal with special data requirements. For example, a company normally does not need complete personnel files of employees who have not been employed there for 20 years. But there is an exception, i.e. a legitimate interest of all parties to store the data: A company pension. For its correct calculation and payment, companies must permanently store certain data of pensioners and former employees.

Separating personal and technical data

A good complement to DLM is the pseudonymization of data. Here, systems for customer management have proven their worth. Put simply, they separate customer data from technical information. In this way, a unique identification number can be assigned to each customer, but also to each infrastructure resource. This ID is used in all applications that contain customer data. As a result, personal data is separated from the rest of the data and can be selectively deleted, for example.

Although this makes the IT architecture a bit more complicated, it does not create any legacy over the years. With such an approach, additional systems can also be integrated very easily into the existing customer management system, for example by buying up a company.

It is quite a high effort to implement such a solution. Therefore, it is not likely that companies will rely on pseudonymization. However, if you are a start-up starting from scratch, you can think about such an approach. Unfortunately, there is no technically clean solution that can correctly implement all the deletion obligations of the GDPR. Pseudonymization is merely a viable middle ground.

»If you think the existing deletion obligations through to their logical conclusion, you will cut off Germany and Europe from the benefits of cloud computing. No politician can seriously want that«, warns specialist lawyer Keppeler. A particular problem is the legal uncertainties caused by fines running into the millions and, at the same time, few concrete guidelines. Many of the detailed questions briefly presented here would have to be clarified either by ordinance or by the courts - both of which are still pending.

Federal Office for Data Protection in Information Technology?

So there is a lack of a uniform guideline by the legislature or the Federal Data Protection Commissioner on how something should be implemented specifically in individual cases. Particularly in the case of solutions from the cloud, especially from international providers, there is also often a lack of advice from the providers. In addition, companies do not find enough technically competent contacts. Neither the data protection authorities nor the chambers of industry and commerce (CCI) have the human resources to meet the need for advice.

But the demand is high, similar to the related and in some respects congruent topic of information security. But in contrast to data protection, there are established structures that provide companies with legal certainty and practical assistance. This refers to the BSI (German Federal Office for Information Security) and its basic protection catalogs. Especially small and medium-sized companies with no or only a small IT department benefit greatly from this.

Two demands on association representatives and politicians can be derived from the legal uncertainty and the lack of practical detailed rules.

  • First, it would make sense to amend the law to include an exception rule like the one in the old BDSG. It does not have to be so broad that the deletion rights of private individuals are revoked through the back door. But it should make it easier for companies to meet the requirements of the GDPR.
  • Secondly, there is a lack of a competent and powerful advisory body to help business implement the GDPR details. This does not have to be an authority; a joint organization of chambers of commerce and industry (IHKn) would be an ideal contact. It could then ensure that the expertise already available in many IHKs is also made available nationwide.

These two measures can help make the GDPR manageable for business and reduce legal risks.

Click here for the original article in german.

    Back to overview