The GDPR specifies that personal data may not be stored longer than legally necessary. When the legal necessity ceases to exist, data retention is no longer permitted and deletion is compulsory. Exceptions exist only in the cases of legal data retention obligations.
In the worst case, authorities can impose penalties on those who, in violation of the GDPR, retain data longer than allowed. It is clear, based on the most recently imposed fees, that the authorities are increasingly paying close attention to the adherence of data retention periods.
Depending on the company size, it becomes increasingly likely to quickly lose grasp of the different types and categories of personal data being processed. This makes it even more important to automate the deletion process. Getting over this big step makes it easier to maintain control over the complexity and bring in new processing operations into the existing structure.
Please note the following guidelines regarding the scope of our erasure policy workshop:
- We’ll give you a recommendation for a structured deletion process that is oriented to GDPR rules. We will illustrate an option that shows you how you can take steps toward GDPR-compliant erasure. It should be easy for you to implement a deletion process with routines that can be built upon over the long term.
- We are not liable for implementing a company’s internal deletion process and make no claim to the correctness of the retention periods provided in the general examples when applied to specific cases. In the workshop, we’ll teach you what is important in the deletion process so that you can integrate it in your existing processes. We also cannot assume liability for GDPR compliance of your specific deletion process developed in our workshop.
- We can draft the erasure policy in English. The online workshop takes two hours with a one-hour Q&A at the end. Our focus is on your current deletion process in the context of the workshop without taking into account your status as an internal or external control. Our recommendations are general and are not meant for any specific case.
- Please note that we cannot go through each individual company area and designate all possible retention periods. Even as we have years of experience and we know many erasure and retention periods, we don’t know every one that exists.
- As the workshop is conducted remotely, the controller is responsible for their technical set up (e.g. sufficient and stable internet connection, functioning hardware and software, etc.)
- All details provided by the controller will be assumed to be correct.
- The service is deemed as rendered if the workshop is held together with the Q&A hour. If an erasure policy draft was ordered as well, the service is deemed as rendered when the workshop is held together with the Q&A hour and the erasure policy draft is delivered.
- The workshop can only be carried out if the controller actively and sufficiently contributes. After the purchase order, a phone conversation is carried out to get an overview of the company and to find a possible workshop date. This conversation takes a maximum of thirty minutes and will take place within seven workdays after the order is placed. If the controller cannot schedule a date within the seven workdays, the conversation can take place at a later point.
- The controller must provide three scheduling options for the workshop at different weekdays and times. All times must be within the standard office hours of 9 a.m. and 6 p.m.