In this way, companies avoid pitfalls when implementing the GDPR
No time right now?
According to the GDPR, companies must delete personal data when the business relationship ends. Laws such as tax law require long retention periods. A contradiction?
The European General Data Protection Regulation (GDPR) has been regulating how companies should handle personal data since 2018. And thus presents them with a major challenge: On the one hand, they have to implement the GDPR organizationally and technically. On the other hand, there are always contradictions between the requirements of the GDPR and other statutory retention requirements for data. Which regulation then applies to which type of data?
Contents
Personal data – much more than personal information
Even the question of what exactly personal data is is not easy to answer. The opinion is widespread that this is personal information such as customer data and the like. But the definition of personal data is much broader. This means all data that can be used to establish a link to a specific person. In practice this can be very many: From contractual agreements to data from user tracking, such as purchase history or surfing behavior, to e-mails, everything can be classified as personal.
Incidentally, it is irrelevant whether the data is actually linked in a company. Even if it is theoretically possible, that is completely sufficient from a legal point of view. This is exactly what makes handling such data difficult in practice. Even if the link is only made via a third party, such as a business partner, the data falls under the GDPR. Even pseudonymization is not enough. If, for example, real names are replaced by consecutive numbers, the reference to the person behind the number can still be established. This means that even IP addresses in the log files of web servers are considered personal. Encryption does not help out of a tight spot: From a legal point of view, only a pseudonym is assigned here. Anyone who knows the key can view the data and draw conclusions.
GDPR versus retention requirements?
The GDPR aims to protect personal data to a large extent. Personal data must be completely deleted when the purpose of storage no longer applies. That leaves a lot of room for interpretation. If a contract has been agreed between two business partners, such a basis is given – the storage and processing of personal data is necessary and permissible. But what happens when the business relationship ends? The actual reason for the data storage does not apply. According to the GDPR, the data must be deleted.
However, other laws conflict with the retention requirements. Legal requirements such as commercial and tax law, the Energy Industry Act, the Banking Act and, last but not least, labor law define mandatory retention periods for business documents. Prominent example: Tax law stipulates that business-relevant data must be stored for up to ten years after the last booking process. This includes contracts, invoices, offers, order confirmations, payment receipts and even internal and external emails that are in some way relevant to the business relationship. The warranty is also a case in which data does not have to be deleted even after the end of the contract.
The GDPR is deliberately formulated in an abstract way in order to avoid concrete technical requirements. However, it provides a solution for the contradiction described above: If the data concerned is necessary to meet legal obligations, it can be archived. The corresponding laws then automatically become the valid legal basis for this. In addition, the data protection authorities hardly accept any other reasons. Missing organizational structures, for example, or a disproportionately high effort to delete the data do not count.
How companies can protect themselves
The GDPR leads to concrete consequences in everyday business practice. If a business relationship ends or – to use the words of the GDPR – the purpose for storing personal data no longer applies, it must be checked whether other legal requirements speak against deletion. If so, the data is first archived and must be deleted at the end of the tax retention period, for example. The data has almost always been stored in archives.
Companies therefore need two things: First of all, it makes sense to have a kind of data processing directory that records all processes and assigns them to the various storage obligations. This records which data is stored and processed in the company and which of it is personal. A deletion concept should complement the directory. It defines how exactly which data should be deleted. A high level of organizational and technical effort arises, which, however, pays off when audited by the data protection authority. Companies also need technical solutions that help them filter the right data at the right time from all systems, including archives and backups.
The legislature should improve
It becomes particularly complicated when service providers are involved in the infrastructure. The European Court of Justice (ECJ) recently overturned the EU-US Privacy Shield Agreement. Data protection principles were defined here that US companies have to comply with towards EU citizens. The agreements had become necessary because the previously valid Safe Harbor Agreement had already been declared invalid by the ECJ. Both laws therefore did not offer sufficient guarantees to bring them into line with the GDPR.
