Workshop on developing a retention and erasure policy

  • null
    Learn how to create a GDPR-compliant retention and erasure policy from an experienced data protection consultant using your own processing operations.

  • null
    Be able to set and adhere to data retention and erasure periods for your processing operations.

  • null
    Online workshop (3h), incl. customised erasure policy draft, if desired

Data retention obligations and erasure periods

According to the General Data Protection Regulation (GDPR), personal data may not be stored indefinitely. Personal data must be erased when they are no longer necessary or when the retention period has expired.

It is not enough to block access to data at when the retention period has expired. The data must be deleted in the active system as well as in backups.

Many companies have considerable difficulty in carrying out data erasure at the expiry of the data retention period. For those who ignore this topic, there are increasingly painful penalties imposed by the authorities.

Retention and erasure policy

To deal with these challenges, companies should develop a retention and erasure policy. In our workshop, we’ll explain the general requirements for deleting data, how to calculate the retention period and the standard retention periods, the organisation and problems of deletion, setting the expiry date, the deletion process, the correct documentation as well as the control and revision process, and the software and hardware requirements required for proper erasure.

Choose the combi-package and at the end of the workshop, you’ll get a retention and erasure policy draft that will help you properly delete data.

Be aware that the data retention periods are often defined in specific laws (e.g. tax code, commercial code, social code). Therefore, it’s possible that we don’t know all the periods that exist despite our many years of experience. If necessary, you must seek the advice of the appropriate expert.

What takes place in the erasure policy workshop?


Existing erasure process

In a phone interview, we will establish your existing erasure process. In addition, we’ll clarify your expectations and the scope of your processing operations in order to fit the workshop exactly to your needs and with the right priorities.  We’ll also coordinate a date for the workshop.


The online workshop is live and interactive. Get all the information you need to carry out GDPR-compliant erasure from an experienced data protection consultant.


At the end of the workshop, you’ll have an hour to ask any questions specific to your individual needs in moving successfully forward with an erasure policy for your company.

Erasure and retention policy

If you wish, you can also get a retention and erasure policy that meets your needs for assistance with proper data and documentation deletion.

Our packages


3h workshop
incl. Q&A
Add to cart Excluding 19% tax

Workshop + Policy draft

3h Workshop incl. Q&A
plus customised policy draft
Add to cart Excluding 19% tax

Frequently asked questions on the erasure policy workshop

What data is required to be deleted?

The GDPR specifies that personal data may not be stored longer than legally necessary. When the legal necessity ceases to exist, data retention is no longer permitted and deletion is compulsory. Exceptions exist only in the cases of legal data retention obligations.

What happens if data is retained longer than is permitted?

In the worst case, authorities can impose penalties on those who, in violation of the GDPR, retain data longer than allowed. It is clear, based on the most recently imposed fees, that the authorities are increasingly paying close attention to the adherence of data retention periods.

Why is it so important to have an organised deletion process?

Depending on the company size, it becomes increasingly likely to quickly lose grasp of the different types and categories of personal data being processed. This makes it even more important to automate the deletion process. Getting over this big step makes it easier to maintain control over the complexity and bring in new processing operations into the existing structure.

Scope description of the erasure policy workshop

Please note the following guidelines regarding the scope of our erasure policy workshop:

  1. We’ll give you a recommendation for a structured deletion process that is oriented to GDPR rules. We will illustrate an option that shows you how you can take steps toward GDPR-compliant erasure. It should be easy for you to implement a deletion process with routines that can be built upon over the long term.
  2. We are not liable for implementing a company’s internal deletion process and make no claim to the correctness of the retention periods provided in the general examples when applied to specific cases. In the workshop, we’ll teach you what is important in the deletion process so that you can integrate it in your existing processes. We also cannot assume liability for GDPR compliance of your specific deletion process developed in our workshop.
  3. We can draft the erasure policy in English. The online workshop takes two hours with a one-hour Q&A at the end. Our focus is on your current deletion process in the context of the workshop without taking into account your status as an internal or external control. Our recommendations are general and are not meant for any specific case.
  4. Please note that we cannot go through each individual company area and designate all possible retention periods. Even as we have years of experience and we know many erasure and retention periods, we don’t know every one that exists.
  5. As the workshop is conducted remotely, the controller is responsible for their technical set up (e.g. sufficient and stable internet connection, functioning hardware and software, etc.)
  6. All details provided by the controller will be assumed to be correct.
  7. The service is deemed as rendered if the workshop is held together with the Q&A hour. If an erasure policy draft was ordered as well, the service is deemed as rendered when the workshop is held together with the Q&A hour and the erasure policy draft is delivered.
  8. The workshop can only be carried out if the controller actively and sufficiently contributes. After the purchase order, a phone conversation is carried out to get an overview of the company and to find a possible workshop date. This conversation takes a maximum of thirty minutes and will take place within seven workdays after the order is placed. If the controller cannot schedule a date within the seven workdays, the conversation can take place at a later point.
  9. The controller must provide three scheduling options for the workshop at different weekdays and times. All times must be within the standard office hours of 9 a.m. and 6 p.m.