Exceptions according to Art. 17 Para. 3 DS-GVO

The exceptions to deletion obligations set out in Art. 17 (3) GDPR are of particular relevance for companies.

According to Art. 17 Para. 3 lit. This standard thus points to one of the main areas of tension in the area of ​​cancellation claims. The relationship between data protection and freedom of expression is relevant in the context of the consideration to be carried out in accordance with Article 17 (3) lit.

Further exceptional circumstances are standardized in Art. 17 (3) lit. b to e GDPR. In the following, the focus is on Article 17(3)(b) and Article 17(3)(e) GDPR.

Art. 17 Abs. 3 lit. b DS-GVO

Another exception under Article 17 (3) (b) GDPR is help with right to be forgotten data processing required to fulfill legal obligations under Union or Member State law, to perform a task in the public interest or to exercise public authority assigned to the person responsible Article 17(3)(b) GDPR thus contains a further opening option in favor of the national legislature to exclude a right to deletion in the respective case.

There are various retention requirements under German law. For example, § 147 AO regulates a retention obligation for tax-related documents. The most important documents that must be kept include books, records, inventories, annual accounts, management reports, opening balance sheets, as well as commercial and business letters received, accounting vouchers and other documents, insofar as they are relevant for taxation. The other documents from § 147 Paragraph 1 No. 5 AO include, for example, audit reports, price lists and excerpts from the commercial register and land register. In accordance with § 147 Paragraph 1 No. 5 and Paragraph 3 AO, the retention period is six years for all documents relevant to wage tax deduction. According to § 140 AO, the tax retention obligation is also justified by “other laws”. § 257 para. 1 HGB, for example, refers to the documents that must be kept by every merchant. Within the framework of the HGB, the trading books, inventories, opening balance sheets, annual financial statements, management reports as well as the received commercial letters and accounting documents are the most important documents to be kept.

Art. 17 Abs. 3 liters. and DS-GVO

If the processing of personal data is necessary to assert, exercise or defend legal claims, there is also no right to erasure pursuant to Article 17 (3) lit. e GDPR. This provision is intended to prevent the data subject from deleting their data with the aim of making it more difficult for third parties to prosecute.

Remaining exceptions

According to Article 17 (3) (c) GDPR, there is an exception if processing is carried out for reasons of public interest in the area of ​​public health in accordance with Article 9 (2) (h) and (i) and Article 9 (2) 3 done.

According to Art. 17 (3) lit. d GDPR, the exception is also fulfilled if processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR -GMO.

Log Files

In principle, there is an obligation to document due to the increased accountability obligations imposed by the GDPR and due to general IT security requirements. Log files (or log files) are right to be forgotten gdpr data that logs all processes in an IT system for a certain period of time, i.e. event logs in text format. Log files list the activities carried out, some of which are directly related to individuals. Log files are created wherever documentation of processes is required or desired. The great advantage of log files is that, for example, in the event of an incorrect or corrupt data transmission, the cause of an error can be found and precisely determined. For example, if the systems are infected by a virus,

Deletion concept and retention periods

Coupled with the extended accountability obligations from the GDPR, it is now essential to define a company-specific deletion concept. A deletion concept is understood to mean a definition by which a responsible body ensures that their personal data is deleted in accordance with the law. As part of this concept, concrete storage and deletion periods are determined. As a result of the principle of earmarking and the requirement to minimize data, responsible bodies are obliged to delete data from their systems without justification. Basically, the deletion concept serves as a guide and proof that how and in what way data protection obligations for the deletion of personal data are fulfilled within the company in a legally compliant manner. Based on the documentation and accountability obligations provided for in the GDPR, deletions made should be documented – albeit without personal reference.

As part of the application of the deletion concept, it is imperative to ensure that no retention obligations relevant to the company are violated. The data to be deleted afterwards will be archived in a secure location outside the active system before being deleted from the active system. It is ensured that only management has access to this archive if they have a legitimate interest in viewing gdpr case studies.