A recent case illustrates the consequences of a lack of compliance in the area of the General Data Protection Regulation (GDPR): The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) recently imposed a fine of 900,000 euros against a debt collection company. The reason: the company had retained personal data of debtors even after the statutory deletion periods had expired - in some cases for up to five years without any legal basis. Companies should check whether the internal processes set up for the regular deletion of personal data are sufficient.

Legal basis of the deletion obligation

The GDPR sets out clear rules on data processing and storage, which are essentially based on the principles of data minimization and storage limitation. In accordance with Article 5(1)(e) GDPR personal data may only be stored for as long as is necessary for the purposes of processing. The so-called "storage limitation principle" therefore obliges companies to delete data as soon as it is no longer required for the originally defined processing purposes. This obligation to erase data applies regardless of whether the data was used internally or passed on to third parties.

Article 17 GDPR is linked to this. This article grantsdata subjects the right to request the erasure of their personal data without undue delay as soon as certain conditions are met. These conditions include:

Article 17 therefore requires not only erasure on request, but also the active erasure of data when it is no longer required. This underlines the obligation for companies to develop a deletion concept and apply it on an ongoing basis.

Deletion obligations also apply to B2B companies

Some companies still believe that data protection obligations only apply to B2C companies. In fact, there is no company in the B2B sector that does not process personal data of contact persons of customers, suppliers, service providers or, of course, its own employee data. The GDPR therefore makes no distinction between companies that only have private customers and those that operate exclusively in business transactions.

Challenges in practice: typical deletion deadlines and industry specifics

Different deletion periods may apply depending on the industry. While companies in the healthcare sector, for example, are confronted with strict documentation obligations, in some cases only the retention obligations under tax law apply in the retail sector (see below). For tax documents such as invoices, for example, a retention period of ten years applies, while other business documents are generally subject to a retention period of six years.

A common challenge is managing different time limits and categories of personal data. Companies should therefore clearly define from the outset which data must be stored, in what form and for how long. These requirements should be documented and set out in a deletion concept in order to prevent data being stored for an unnecessarily long period of time and breaches occurring as a result.

The case: Lack of an erasure concept leads to a fine

The case of the Hamburg-based company shows how serious the consequences of a missing or inadequate deletion concept can be. The HmbBfDI carried out comprehensive audits of companies with a strong market presence in the receivables management sector. It was discovered that the company in question had stored sensitive debtor data for years, even though the statutory deletion periods had expired. This data was not passed on to third parties, but this could not prevent sanctions, as the permanent storage of the data alone was classified as a GDPR violation. The company accepted the fine and cooperated with the data protection authority in dealing with the incident.

Fines as a signal: risks and consequences of inadequate erasure concepts

The amount of the fine of 900,000 euros in this case is a clear signal to all companies: The supervisory authorities are prepared to impose heavy fines if companies do not take data protection seriously. For companies, the damage to their image in the event of such a sanction is often more serious than the financial loss. The trust of customers and business partners in a company's data protection standards can be permanently impaired if it becomes known that the company is not in a position to delete personal data in accordance with the law.

In financial terms, in addition to fines, possible claims for damages by data subjects are also relevant. If a company stores personal data unlawfully and thereby violates the rights of the data subjects, they may be able to claim damages. Here too, large sums can quickly add up, especially when it comes to sensitive data such as credit rating information or health data.

Recommendations for avoiding violations of the deletion obligations

Companies should follow several steps to ensure legally compliant implementation of the erasure obligations under the GDPR:

Conclusion: an erasure concept is essential

This case shows that companies need a well-thought-out deletion concept in order to meet the legal requirements and strengthen customer trust in data protection. Compliance with deletion obligations not only protects against sanctions, but also against reputational damage and financial losses that can result from a data protection incident.

The example of the Hamburg-based company is a warning to all those who have not yet sufficiently addressed the topic of deletion concepts. A structured erasure concept helps to comply with the GDPR and minimize risks. For companies operatingin data-intensive sectors, careful handling of personal data is not only a legal obligation, but also a question of sustainable business success.