Implementation of deletion obligations: Latest judicature on the GDPR

Recently, the German Federal Cartel Office (Bundeskartellamt) stated that Facebook holds a dominant position in the market and is taking action against the merging of collected data. Andreas Mundt, head of the Bundeskartellamt, explains: “The users have no choice as to whether they agree to the data collection or not. About one third of the more than 300-page decision deals with details of data protection law. Facebook may no longer collect data from third parties without legally compliant consent. Consent is also required to merge data from other Facebook services such as WhatsApp and Instagram. Facebook was given four months to present a concept of how users’ consent would be collected in the future. (https://www.heise.de/newsticker/meldung/Kartellamt-untersagt-Facebook-Datensammlung-auf-fremden-Websites-4300461.html;

The most recent Google case is just as prominent: in its decision of 21 January 2019, the French data protection authority CNIL imposed a fine of € 50 million on Google. The reason: Lack of transparency and inadequate information to data subjects, which is why their consent to display personalised, i.e. user-specific, advertisements is not valid (https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc ).

What do these two cases of a missing legal basis for the processing of personal data have to do with an obligation to delete under the DSGVO, which could also affect your company?

Deleting data: central data protection topic?

Since the entry into force of the DSGVO in May 2018, the Austrian data protection authority has focused its decisions on the (non-)deletion of data. The responsible persons audited were sometimes very small companies. Such a review may be prompted, for example, by a complaint from an interested party, e.g. an (ex-)employee or a rejected applicant; or simply by the Authority’s general duty to monitor.

Constant monitoring of the latest case law on data protection is therefore essential. For where legal ambiguities exist today, but the person responsible has tried a reasonable solution under data protection law, even if this was not entirely correct, the data protection authority will presumably be more lenient than in the case of a breach of DS obligations clearly defined by law or already interpreted by jurisprudence. In addition to fines, there is also the threat of an obligation to pay compensation to those affected and, for example, an official ban on processing until the lawful state has been established. The latter “renovation” can take a long time until processing can be resumed.

Legal certainty is only created by the highest authority and, of course, the data protection authority can also represent incorrect legal opinions. Even representatives of data protection authorities in Germany have therefore publicly called for their decisions on controversial legal issues to be examined on appeal in order to achieve legal certainty as quickly as possible.

The most important legal deletion rules in a nutshell:

The data controller must ensure that he deletes all personal data of data subjects even without their request for deletion, provided that there is no longer a legally permissible reason for the processing for the specified purpose (principle of storage limitation pursuant to Art. 5 para. 1 lit e or Art. 17 para. 1 DSGVO).

If a data subject submits a request for the deletion of his/her personal data, the deletion must in principle be carried out within 1 month (Art. 17 para. 1 DSGVO).

No rule without exceptions: Among other things, deletion is not necessary if the processing continues to be necessary for the controller for certain reasons after termination of a legitimate purpose; e.g. due to statutory retention periods or to defend against claims for damages (Art. 17 (3) DSGVO).

The Austrian Data Protection Act makes this strict principle considerably easier. If, for economic or technical reasons, deletion is not possible immediately but only at certain times (deletion cycles), it must at least be ensured until final deletion that the data is only stored but not used for other purposes (§ 4 para 2 Data Protection Act).

The person responsible must at all times be able to prove when/how/why the data were deleted, which exceptions were made and how the data subjects were informed or how all this is to be done in the future (see Art. 5 (2) DSGVO).

Breaches of duty:

The storage of personal data for an unlimited period of time for a possible future contact constitutes a violation of the principle of storage limitation (Art. 5 para. 1 lit. e DSGVO – 28.05.2018, GZ DSB-D216.580/0002-DSB/2018).

If the complainant has expressly requested only a partial deletion of his personal data, but the person responsible has subsequently deleted all of the complainant’s data, this “excessive” deletion constitutes a violation of the principle of good faith, of the right to deletion and of the right to data integrity (decision of 5.12.2018, GZ DSB-D123.211/0004-DSB/2018). If the person responsible considered that a partial request for deletion could not be complied with, he would have had to inform the data subject of the relevant reasons prior to the complete deletion in such a way that the reasons are comprehensible for the data subject and also for the data protection authority.

Deleting different types of data

Protocol data also regularly represent personal data for which appropriate deletion routines must be implemented. The required storage period shall be calculated in accordance with the purpose of the protocol (13.12.2017, DSB-D213.531/0009-DSB/2017).

A period of 7 months, duly justified, was allowed for the storage of applicant data (27.8.2018, DSB-D123.085/0003-DSB/2018).

For the deletion of data in backup or archive files, ISPA – Internet Service Providers Austria – suggests restricting the processing until the documented backup or archive cycle leads to the final deletion due to a lack of secure jurisprudence. Restriction means that the data may only be temporarily stored, but not otherwise processed (Art 18 DSGVO).

Deletion obligation, although data is still needed?

In principle, data must be deleted if a reason for (further) processing for the originally defined purpose does not (no longer) exist. Sometimes however the responsible person needs the data further, however for another purpose, for instance because of a tax-legal retention obligation (7 years after § 132 Abs 1 BAO) or also in order to be able to ward off possible compensation claims in the future.

In order for the processing to be admissible because of the latter, the data controller must explain which concrete future court proceedings on which liability basis he is threatened with and to what extent the further storage of personal data is actually necessary.

In this sense, the data protection authority considered the 7-month storage of data of a rejected applicant – also contrary to the applicant’s request for deletion – as permissible. This is because the person responsible should be able to defend himself in any court proceedings for non-equal treatment of the applicant with the help of the data in dispute. The present statutory period for submitting the claim to the court is 6 months (§§15 and 29 Equal Rights Act). These 6 months were extended by 1 month for the duration of the service of the claim on the defendant (27. 8. 2018, DSB-D123.085/0003-DSB/2018).

In an earlier procedure, the data protection authority had decided that the statutory limitation period of 10 years for the determination of levies (§ 207 BAO) was not a sufficient reason to keep the data for such a long time (DSB-D216.471/0001-DSB/2018 of 28 May 2018). However, this 10-year limitation period applies in the case of intentional tax evasion, whereas only negligently avoided taxes can only be imposed for 3 or 5 years. It is understandable that the perpetrator of an intentional crime should not be favoured here.

The short reference of a responsible person to the fact that “reasons known to the office are certain” exist against the deletion of the data was certainly not sufficient reason to justify the further use of the data (28.05.2018, GZ DSB-D216.580/0002-DSB/2018).

Example: Deletion of old address data in the address database

In principle, address data must be deleted by the person responsible as soon as the original purpose of the processing – such as customer support – has been completed.

Often the further use of the data for the purpose of advertising one’s own goods and services will be permitted (“legitimate interest”). Of course, this only applies for a reasonable period of time – depending on the type of (provisionally terminated) customer relationship, the goods or services offered and justified customer expectations.

The further storage of address data may also be permissible due to consent or as a precaution to avert future liability – or it may be necessary due to legal or contractual storage obligations.

If, for economic or technical reasons, the deletion required in principle is not possible immediately, but only at certain times, it must at least be ensured until the final deletion that the data is only stored, but not used in any other way (§ 4 para 2 Data Protection Act). When the final deletion must then take place at the latest is a matter of interpretation in detail. If backup data carriers are overwritten, the deletion takes place by overwriting them (several times).

If address data were originally not lawfully obtained or illegally stored after a single use, they had to be deleted long ago.

To ensure DSGVO-compliant extinguishing, suitable extinguishing measures must be considered and documented. To this end, the person responsible must take appropriate technical and organisational measures (Art. 24 DSGVO). Thereby

  • type, scope, circumstances and purposes of the concrete processing of the address data in question, and
  • the resulting probability of occurrence and severity of risks for those affected.

These measures shall be reviewed and updated as necessary.

According to Art 25 DSGVO, the state of the art and implementation costs must also be taken into account. The latter is interpreted (very) restrictively.

The measures to be taken now should also ensure that address data stored in the future can be deleted in accordance with the DSGVO.

Mere address data may often not represent a greater risk for those affected. However, a significantly increased risk can result from the illegal combination of such address data with other data! This must also be considered and prevented by appropriate data security measures (Art 32 DSGVO).

The appropriate measures must also ensure that incorrect (changed) address data is corrected or deleted, thus avoiding any disadvantages for data subjects resulting from the use of incorrect data.

If the data subject submits a request for the deletion of his/her address data, these must be deleted unless one of the reasons for § 17 (3) DSGVO applies.

ATTENTION: Deletion obligation only because of missing data protection information to the person concerned!

A person responsible had “legitimate interests” (Art. 6 (1) (f) DSGVO) in a registration of insolvency proceedings in his consumer and commercial credit records. Such processing would therefore have been permissible in principle. It was nevertheless inadmissible because the data controller violated the principle of “good faith” (Art. 5 para. 1 lit a DSGVO) by not informing the data subject of the processing of his data. The request for cancellation by the person concerned was therefore justified (decision of 30.11.2018, GZ DSB-D122.954/0010-DSB/2018).

Thus, unlawfully processed personal data must be deleted (Art. 17 para. 1 lit d DSGVO). This is of great practical importance for companies which do not sufficiently fulfil their comprehensive data protection notification obligations towards data subjects (Art. 12 to 14 DSGVO). Processing is inadmissible and the data must be deleted.

Consents not given voluntarily are also invalid (Art. 7 DSGVO). For example, the data protection authority generally assumes that consent has not been given voluntarily by individual employees and is therefore invalid. If there is no other legal reason for the processing – such as the contractual requirement or the legal obligation to process or the legitimate interest (Art. 6 DSGVO) – the processing is unlawful and the data must be deleted.

Processing was also prohibited in the two decisions cited at the outset. The (antitrust) authority has granted Facebook a further period of time to obtain valid consents; otherwise further processing could be prohibited (under antitrust law). A fine procedure under data protection law could also follow. The French data protection authority immediately imposed a considerable fine on Google for lack of transparency and insufficient information to those affected.

In the above-mentioned decision of 30.11.2018, GZ DSB-D122.954/0010-DSB/2018, the Austrian data protection authority recognised the justification of the request for deletion due to insufficient information. It remains to be seen whether this decision will become final and whether it will be followed by a fine procedure. In any case, the legal possibilities for the authorities are manifold.

TIP: From a liability point of view:

  1. The person responsible must at all times be able to prove when/how/why the deletions or restrictions occurred and are to occur regularly in future, which exceptions to the deletion are claimed and how the persons concerned are informed of all this (see Art. 5 para. 2 DSGVO).

2.  Pay special attention to the correct and sufficient legal basis for your processing operations (Art 6 ff DSGVO,

 

  •  for consents to their validity (Art 7 DSGVO),
  •  that the parties concerned are informed of the legal basis and,
  •  if the processing is based on legitimate interests, that the data subjects are also specifically informed about these pursued interests (Art. 13 para. 1 lit d and Art. 14 para. 2 lit b DSGVO).

3. A comprehensive deletion concept is particularly suitable for larger data processing operations.

4. Recommendation for smaller data processing operations with lower risks for data subjects: Better a few simple “deletion rules”, which are implemented and continuously improved – in the case of a review in the next few months the authority will perhaps only make improvements – instead of no deletion rules at all – in which case a fine is not unlikely (see Art 83 (2) lit d DSGVO and § 11 DSG)!

5. For smaller data processing jobs, simple deletion rules for individual industries can be developed and used together (see also https://www.frank-law.at/datdok/ ).

 

Dr. Markus Frank

This article does not replace legal advice. Despite all efforts for completeness and correctness, any liability for damages arising from or in connection with this article is excluded.

If you have any comments or questions about this article, please send them to office@frank-law.at .

Would you like to ask me another question about DS Law or DS Management? If I think your topic is of general interest, you might find something about it on my news page https://www.frank-law.at/news/ soon.

17.05.2019