The most important facts at a glance
- Right to erasure under GDPR: Personal data must be erased as soon as the purpose of processing ceases to exist, unless statutory retention obligations prevent this.
- Observe retention periods: Commercial and tax regulations, such as the GoBD, often require storage for up to eight years, which overrides data protection deletion requirements.
- Documentation obligation: Companies must be able to prove when and why data was deleted or retained – a structured deletion concept is essential.
Between the duty to delete and the duty to retain
The question of when data must be deleted is one of the most common challenges in corporate data protection. Companies operate in a conflict zone: on the one hand, the General Data Protection Regulation requires the prompt deletion of personal data when it is no longer needed. On the other hand, the Commercial Code, the Tax Code, and other regulations mandate the retention of certain documents for years.
This balancing act is more than just a legal obligation. Incorrect deletions can lead to fines from supervisory authorities, as can saving data for too long. Furthermore, there are economic risks: sanctions can be imposed during audits if relevant documents were destroyed prematurely.
Legal Basis: GDPR and National Regulations
Duty to erase under Article 17 GDPR
The General Data Protection Regulation, in Article 17, regulates the right to erasure, the so-called „right to be forgotten.“ Accordingly, personal data must be erased without delay if one of the following grounds applies:
- The data are no longer necessary for the purposes for which they were collected. For example, application documents of a rejected candidate must be deleted after the selection process is completed, unless there is a legal retention obligation.
- The affected person withdraws their consent and there exists no other legal basis for the processing.
- The data subject objects to the processing, and there are no overriding legitimate grounds for further processing. This includes, for example, objections to direct marketing.
- The data was processed unlawfully. If it is subsequently determined that data processing occurred without a legal basis, immediate deletion is required.
- The erasure of personal data is necessary for the controller to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject.
The principle of memory limitation
Art. 5(1)(e) GDPR enshrines the principle of storage limitation as one of the central data protection principles. Personal data may only be stored in an identifiable form for as long as is necessary for the purposes of processing. This principle obliges companies to regularly review their data holdings.
Commercial and tax retention obligations
The data protection law's obligation to delete data often conflicts with retention obligations from other legal areas. The German Commercial Code and the Fiscal Code oblige companies to archive certain documents.
According to § 257 of the German Commercial Code (HGB), commercial books, inventories, opening balance sheets, annual financial statements, management reports, and consolidated financial statements must be kept for ten years. Received commercial and business letters, as well as copies of sent letters, are subject to a six-year retention period.
In Section 147 of the German Fiscal Code (AO), the Tax Audit Regulations also mandate a ten-year retention period for books and records, annual financial statements, inventories, and accounting vouchers.
For other documents, an eight- or six-year deadline applies.
Principles of Proper Bookkeeping
The GoBD specifies the requirements for electronic bookkeeping and the storage of tax-relevant data. These principles require not only the mere storage but also the immutability, traceability, and auditability of the archived data.
Particularly relevant for data protection is: The GoBD also accept storage in encrypted or pseudonymized form, provided that tax auditability is maintained. Companies can therefore choose data protection-friendly archiving methods, as long as the tax authorities can access the original data if necessary.
Key aspects: When does the deletion obligation apply and when not?
The priority of statutory retention obligations
The GDPR expressly recognizes that retention obligations from other legal areas take precedence over the obligation to erase. Art. 17 para. 3 lit. b GDPR names the fulfillment of a legal obligation as an exception to the right to erasure.
In practice, this means: As long as a retention obligation under commercial or tax law exists, the affected data may and must remain stored. Only after these periods have expired does the data protection law's obligation to delete take full effect again.
The crucial aspect here is the precise determination of which data actually falls under the retention obligation. Not every document containing personal data is subject to a retention obligation. For example, emails with purely private exchanges that have no business relevance do not need to be archived, even if they were exchanged between business partners.
Legitimate interests as a basis for storage
In addition to legal obligations, the legitimate interests of the controller may also justify further storage. Article 6(1)(f) GDPR permits processing if it is necessary for the purposes of the legitimate interests pursued by the controller, provided that the interests or fundamental rights and freedoms of the data subject do not override them.
Typical examples include storage for evidence preservation in anticipation of legal disputes or for documenting contract executions beyond the statutory warranty period. The defense against liability claims can also justify extended storage.
However, invoking legitimate interests always requires a balancing of interests on a case-by-case basis. This must be documented and clearly explain why the interest in retention outweighs the data subject's interest in erasure.
Practical tips for a legally compliant deletion concept
Create a comprehensive deletion concept
A deletion concept systematically documents which data must be deleted at which times. It should cover all of the company's processing activities and include the following elements:
- Identification of all data inventories and processing activities, ideally based on the record of processing activities.
- Defining the storage duration for each data category, taking into account the purpose of processing, legal retention periods, and legitimate interests.
- Definition of deletion criteria, i.e., the events that trigger the start of the deletion period.
- Description of the technical and organizational measures for the implementation of deletion.
- Naming of responsible persons and process flows.
Implement automated deletion processes
Manual deletion processes are prone to errors and hardly practical for large data sets. Modern database systems and document management systems offer functions for automatic deletion upon expiration of defined deadlines.
Set up workflow systems that automatically initiate deletion processes when certain events occur, such as contract end or deadline expiration. Implement warning mechanisms that flag necessary decisions before critical deadlines expire.
When archiving, metadata should be included that contains the planned deletion date. This allows data sets whose retention periods have expired to be identified even years later.
Distinguish between the obligation to store and the possibility of storing
Not every storage that is legally permissible is also required by data protection law. In your deletion concept, distinguish between data that must be retained due to legal obligations and data for which only legitimate interests exist.
For the second category, you should regularly review whether the balancing of interests still favors storage. If circumstances change, storage that was originally justified may become impermissible.
Document all balancing of interests in writing. In the event of a data protection audit or when exercising data subject rights, you must be able to provide a comprehensible justification for your decisions.
Train your employees
A deletion concept is only as good as its implementation. Raise awareness among your employees about the importance of data protection-compliant deletion. Training should cover which data must be deleted and when, and how the deletion should be technically carried out.
It is particularly important to educate about the tension between retention and deletion obligations. Employees must understand that deletion is not automatically „good“ and storage is not automatically „bad.“.
Establish clear responsibilities and reporting lines. If an employee is unsure whether data may be deleted, they must know who to contact.
Document all deletions
The GDPR requires accountability in Article 5(2): You must be able to prove that you are acting in compliance with data protection regulations. Therefore, document all deletions carried out with the date, type of data deleted, and reason for deletion.
This documentation serves not only for compliance but also protects against unjustified accusations. If an affected person claims you did not delete their data despite their request, you can prove the opposite using the logs.
Conversely, during an audit by the tax authorities, you must be able to prove that documents subject to retention obligations have not been deleted prematurely. Seamless documentation creates legal certainty here.
Checklist: Your Path to a Legally Sound Deletion Concept
Inventory
- Create an overview of all processing activities
- Identify all data sets and their locations
- Capture existing deletion deadlines and routines
Legal review:
- Determine the purpose of processing for each data category
- Check legal retention obligations (HGB, AO, others)
- Evaluate legitimate interests for further storage
- Conduct and document interest balancing.
Deadline determination:
- Set specific deletion deadlines for each data category
- Define events that trigger the start of the deadline
- Consider transition periods and buffer times
- Create a clear deadline table
Technical Implementation:
- Implement automated deletion processes where possible
- Set up reminder functions for manual deletions
- Ensure secure deletion procedures
- Test the functionality of the deletion mechanisms
Organization:
- Name those responsible for deletion operations
- Create work instructions and process descriptions
- Train all affected employees
- Establish control mechanisms
Documentation:
- Record the deletion concept in writing
- Log all deletions performed
- Update the documentation upon changes
- Archive evidence for accountability
Regular review:
- Plan annual concept reviews
- Adjust deadlines according to changed legal situations
- Respond to new regulatory agency recommendations
- Optimize processes based on gained experience
Between duty and pragmatism
The question of when data must be deleted cannot be answered with a blanket statement. Each company must develop an individual deletion concept that takes into account specific processing activities, industry and company-specific particularities, as well as complex legal frameworks.
The tension between the data protection obligation to delete and the commercial law obligation to retain requires differentiated solutions. Blanket storage „in stock“ is equally problematic as hasty deletion of tax-relevant documents.
A well-thought-out deletion concept not only protects against data protection violations and fines but also reduces liability risks during operational audits. It creates transparency about existing data stocks and facilitates the fulfillment of data subject rights.
Investing in structured data management with clear deletion and retention periods pays off in multiple ways: legally, organizationally, and not least economically through reduced storage requirements and more efficient processes.
Are you unsure if your deletion concept meets current requirements? We will support you in developing practical solutions that combine legal certainty with operational feasibility. Schedule a consultation to analyze your individual situation.
Frequently asked questions
Premature deletion of documents subject to retention requirements can lead to tax penalties. The tax authorities may reject the regularity of bookkeeping and make estimates. In severe cases, criminal consequences for tax evasion may even be threatened. Furthermore, you may be unable to provide evidence in legal disputes if relevant documents are no longer available.
Yes, the GDPR is media-independent for all personal data, whether stored digitally or on paper. Physical files must also be destroyed after the retention periods expire, using data protection-compliant disposal methods. Documents containing personal data should be shredded or destroyed by certified disposal companies.
Not in every case. If statutory retention obligations exist or legitimate interests justify further storage, deletion may be refused. The customer must then be informed of the reasons. However, for pure marketing data without a retention obligation, deletion must be carried out immediately.
Upon completion of the application process, documents of rejected applicants should generally be deleted within six months. This period takes into account possible claims under the AGG (General Act on Equal Treatment). For hired applicants, the documents become part of the personnel file and are then subject to the retention periods for employee data. Longer storage for the applicant pool is only permitted with explicit consent.
Yes, data about business partners is also subject to the GDPR. After the business relationship has ended, the same principles apply as with customer data. Documents subject to retention requirements, such as invoices, must be archived. Beyond that, contact histories or preferences should be deleted unless there is a legitimate interest in storing them.
A deletion record should contain at least the following information: Date of deletion, type and scope of deleted data, reason for deletion, person performing the deletion. For automated deletions, a system log with corresponding timestamps is sufficient. It is important that you can prove that specific data has actually been deleted if necessary.
When using cloud services, you remain responsible for data deletion compliance. The commissioned processing agreement with the cloud provider must specify how and when data is deleted. Verify whether the provider is technically capable of implementing your deletion requirements. Special caution is advised for data replications across multiple data centers – in such cases, it must be ensured that deletions actually cover all copies.
German 
English