Skip to main content
Datenschutz / DSGVO

Data Deletion Concept

A systematic plan for the timely deletion of personal data once the purpose for which it was collected has ceased to apply, as required by Art. 17 GDPR.

A data deletion concept is a central instrument for implementing the GDPR principle of storage limitation (Art. 5(1)(e) GDPR) and the right to erasure (Art. 17 GDPR). It defines binding retention and deletion periods for all categories of personal data and establishes when and how data must be deleted or anonymised once the original processing purpose no longer applies. The absence of a deletion concept is one of the most common data protection deficiencies identified by supervisory authorities during inspections.

A complete deletion concept typically contains: an overview of all data classes and categories; the applicable retention periods — both statutory minimum and maximum periods; the triggers that start and end the retention period; the organisational units responsible for carrying out deletion; and the technical procedures for securely deleting or anonymising data. Different statutory retention obligations must be taken into account: commercial law (e.g. Section 257 German Commercial Code) requires retention of up to ten years, as does tax law (e.g. Section 147 German Fiscal Code).

For compliance officers, implementing a deletion concept requires close collaboration with the IT department to ensure that deletion processes are technically automated or at least systematically triggered. Manual deletion processes are error-prone and difficult to audit. The deletion concept should be reviewed regularly and updated whenever new systems or processing activities are introduced. Deletion must be documented to fulfil the accountability obligation under Art. 5(2) GDPR.

Legal Basis

Art. 17 GDPR

Practical Example

A job applicant requests that your organisation delete their application documents under Art. 17 GDPR. As compliance officer, you check the deletion concept to confirm the applicable retention period for applicant data. Your concept specifies a six-month retention period after the conclusion of the recruitment process, to guard against potential discrimination claims under employment equality law. Since the process concluded only three months ago, you inform the applicant that their data will be deleted once the period expires and document the request and your decision. After six months, the deletion is automatically carried out and logged by the applicant tracking system.

FAQ

A data deletion concept is a systematic plan that establishes binding retention and deletion periods and processes for all categories of personal data. It helps organisations comply with the GDPR's storage limitation principle and ensure that data is deleted on time once the processing purpose has ceased to apply.
Retention periods vary depending on the type of data and applicable law. Commercial and tax law documents often need to be retained for up to ten years. Other data types — such as job applications, customer data, or employee records — are subject to different periods. The deletion concept must account for all relevant statutory retention obligations.
Yes. The accountability obligation under Art. 5(2) GDPR requires the deletion concept to be documented in writing and available for inspection. Supervisory authorities regularly request deletion concepts during audits. The concept should also be maintained as an annex to or part of the ROPA.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Data Subject Rights Record of Processing Activities (ROPA) Accountability Data Protection Compliance
Back to Glossary