Data protection supervision: Failure to delete personal data leads to a fine of EUR 900,000

A recent case illustrates the consequences of a lack of compliance in the area of the General Data Protection Regulation (GDPR): The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) recently imposed a fine of 900,000 euros against a debt collection company. The reason: the company had retained personal data of debtors even after the statutory deletion periods had expired – in some cases for up to five years without any legal basis. Companies should check whether the internal processes set up for the regular deletion of personal data are sufficient.

Legal basis of the deletion obligation

The GDPR sets out clear rules on data processing and storage, which are essentially based on the principles of data minimization and storage limitation. In accordance with Article 5(1)(e) GDPR personal data may only be stored for as long as is necessary for the purposes of processing. The so-called "storage limitation principle" therefore obliges companies to delete data as soon as it is no longer required for the originally defined processing purposes. This obligation to erase data applies regardless of whether the data was used internally or passed on to third parties.

Article 17 GDPR is linked to this. This article grantsdata subjects the right to request the erasure of their personal data without undue delay as soon as certain conditions are met. These conditions include:

• the purpose of the processing no longer applies,
• the data subject withdraws consent and there is no other legal basis,
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
• the data was processed unlawfully.

Article 17 therefore requires not only erasure on request, but also the active erasure of data when it is no longer required. This underlines the obligation for companies to develop a deletion concept and apply it on an ongoing basis.

Deletion obligations also apply to B2B companies

Some companies still believe that data protection obligations only apply to B2C companies. In fact, there is no company in the B2B sector that does not process personal data of contact persons of customers, suppliers, service providers or, of course, its own employee data. The GDPR therefore makes no distinction between companies that only have private customers and those that operate exclusively in business transactions.

Challenges in practice: typical deletion deadlines and industry specifics

Different deletion periods may apply depending on the industry. While companies in the healthcare sector, for example, are confronted with strict documentation obligations, in some cases only the retention obligations under tax law apply in the retail sector (see below). For tax documents such as invoices, for example, a retention period of ten years applies, while other business documents are generally subject to a retention period of six years.

A common challenge is managing different time limits and categories of personal data. Companies should therefore clearly define from the outset which data must be stored, in what form and for how long. These requirements should be documented and set out in a deletion concept in order to prevent data being stored for an unnecessarily long period of time and breaches occurring as a result.

The case: Lack of an erasure concept leads to a fine

The case of the Hamburg-based company shows how serious the consequences of a missing or inadequate deletion concept can be. The HmbBfDI carried out comprehensive audits of companies with a strong market presence in the receivables management sector. It was discovered that the company in question had stored sensitive debtor data for years, even though the statutory deletion periods had expired. This data was not passed on to third parties, but this could not prevent sanctions, as the permanent storage of the data alone was classified as a GDPR violation. The company accepted the fine and cooperated with the data protection authority in dealing with the incident.

Fines as a signal: risks and consequences of inadequate erasure concepts

The amount of the fine of 900,000 euros in this case is a clear signal to all companies: The supervisory authorities are prepared to impose heavy fines if companies do not take data protection seriously. For companies, the damage to their image in the event of such a sanction is often more serious than the financial loss. The trust of customers and business partners in a company's data protection standards can be permanently impaired if it becomes known that the company is not in a position to delete personal data in accordance with the law.

In financial terms, in addition to fines, possible claims for damages by data subjects are also relevant. If a company stores personal data unlawfully and thereby violates the rights of the data subjects, they may be able to claim damages. Here too, large sums can quickly add up, especially when it comes to sensitive data such as credit rating information or health data.

Recommendations for avoiding violations of the deletion obligations

Companies should follow several steps to ensure legally compliant implementation of the erasure obligations under the GDPR:

1. Implementing a deletion concept: A deletion concept is at the heart of GDPR-compliant data management. It defines the data categories, their storage periods and the time of erasure. It is important that the concept is updated regularly and complies with the applicable legal requirements.
2. Employee training: All employees who work with personal data should receive regular training on the topics of erasure obligations and data protection. Especially in data-driven departments such as sales, customer service or receivables management, awareness of erasure obligations is crucial.
3. Technical implementation and automation: It is advisable to use technical solutions that enable the automatic deletion of data once the deadlines have expired. Modern data management systems often offer functions for managing deletion deadlines. With these tools, companies can automate compliance with deletion obligations and reduce the risk of errors.
4. Regular audits and checks: Compliance with deletion obligations should be checked regularly by internal or external audits. This can determine whether the specified deadlines have been met and whether data has actually been deleted.
5. Documentation and verifiability: As companies must be able to prove that the deletion obligations have been met in an emergency, it is important to fully document all data deletions. This can be doneusing log files, reports from the data management system or corresponding audits, for example.

Conclusion: an erasure concept is essential

This case shows that companies need a well-thought-out deletion concept in order to meet the legal requirements and strengthen customer trust in data protection. Compliance with deletion obligations not only protects against sanctions, but also against reputational damage and financial losses that can result from a data protection incident.

The example of the Hamburg-based company is a warning to all those who have not yet sufficiently addressed the topic of deletion concepts. A structured erasure concept helps to comply with the GDPR and minimize risks. For companies operatingin data-intensive sectors, careful handling of personal data is not only a legal obligation, but also a question of sustainable business success.