The Regulation, which will enter into force as of January 1, 2018, sets forth the procedures of deletion, destruction and anonymization (all three methods will be referred to as “removal”) of personal data that is processed either (i) automatically or (ii) manually, provided that the data is part of a data registry system.
The Regulation and the Guidelines define
- Deletion of data as rendering personal data inaccessible and unfit for the re-use for ‘relevant users’ (i.e. persons, other than those responsible for the storage, protection and back-up of the data, who process personal data either as part of the organization of the data controller or in accordance with the authority granted by and upon the instruction of the data controller).
- Destruction of data as rendering personal data inaccessible, un-restorable and unfit for re-use for anyone.
- Anonymization of data as turning data into a form which cannot be associated with an identified or identifiable real person, even if it is restored and/or linked or coupled by other data.
The Regulation provides that, if processing of data is no longer required, data controllers must remove the personal data, either ex officio or upon the request of data owner. The Regulation requires that any action taken for the removal of personal data be recorded and all such records be maintained for at least three years.
Policy on the retention and destruction of personal data
Unless exempt from the requirement, all data controllers must be recorded with the Data Controllers’ Registry. These data controllers are also required to prepare a policy on the retention and destruction of personal data. The policy should be in line with the inventory that the data controllers will maintain to register the details of their personal data processing activities.1
The policy must include, among other points, information on data processing media to which the policy would apply, legal, technical and other reasons for retention and removal of personal data, measures taken to secure and remove the personal data and to avoid illegal processing, titles and job descriptions of those involved in the retention and removal process and retention and periodic removal periods.
Mere preparation of a policy does not guarantee a data controller’s compliance to the legislation.
Methods of data removal
Unless the Board decides otherwise, data controllers are free to choose the methods to be used for removal of personal data. Upon request by a data subject, a data controller must explain the reasons for choosing a particular method.
For deletion of data, the Guidelines require that data controllers fulfill the following steps: (i) determine the personal data subject to deletion, (ii) determine the relevant users of such data, (iii) determine the scope of authority and methods employed by the relevant users to access, restore and re-use personal data, and (iv) block and remove such authority and methods. The method to be used for deletion must be appropriate for the platform on which the data is stored. Accordingly, the Guidelines provide examples of methods that can be used for data stored in a cloud system, on paper, on a server, portable media device or database. For example, if stored on paper, the data must be cut out or redacted as appropriate. For data stored on portable media storage, the devices in question must be encrypted and deleted by appropriate software.
For destruction, the Guidelines list a number of methods depending on the system where data is stored and requires data controllers to use one or more of such methods, including degaussing (erasing or neutralizing magnetic data, e.g. on a hard disk), overwriting data using special software, shredding paper records (vertically and horizontally, making it impossible to reassemble the pieces), and for data maintained on cloud servers, destruction of individual keys used to encrypt data.
Similarly, in relation to anonymization, the Guidelines provide for different methods that data controllers may use, depending upon, among other factors, type and size of data, frequency of data processing and whether anonymization would be worth the effort. Methods include, among others, removing variables (where the variable is a direct identifier), generalization of data and data masking.
In any event, it is important that data cannot be retrieved by modern data recovery techniques.
Once the obligation to remove arises, data controllers, who are required to prepare a policy, must do so on the immediately following periodic removal date. Intervals between removal dates must be set out in the policy and may not exceed six months.
Data controllers not required to have a policy in place must comply with this obligation within three months.
The Board may shorten these periods if necessary to avoid irreparable damage and in case of clear signs of illegality.
If removal of data is requested by a data subject, data controllers must respond to the request within 30 days by (i) complying with the request, if the need for processing no longer exists, or (ii) rejecting the request and explaining why there is a need for processing. If data is transferred to third parties, but there is no longer a need for processing, data controllers must request that the relevant third party takes necessary actions under the Regulation.