Which requirements must be considered under the principles of protection of employees’ data when storing data / emails?
If and to the extent that the use of d.velop software relates to the processing of personal data (“pd”) of your employees or customers, such processing should always be documented in the d.velop software; the options required for this are available. Only structured storage of pd enables proper implementation of the data subjects’ rights under Art. 12 et seq. GDPR. This is the only way for you to ensure efficient handling of requests by the data subjects (employees, customers, consumers etc.) for information/ access or erasure of their pd or the data subjects’ objections to the processing of their pd. When you introduce your d.velop software for processing activities, you can best implement this by describing in detail the d.velop software and its specific implementation in the light of the requirements of Art. 30 GDPR (records of processing activities and consideration of the requirements to ensure security of processing according to Art. 32 GDPR). d.velop AG will shortly release a product called “d.velop GDPR compliance center” which can help you prepare records of processing activities for all your processing activities including those which are not carried out by means of the d.velop software.
Based on these records of processing activities, a data storage and erasure concept needs to be developed. This concept is meant to structure and define by the various datasets concerned which specific storage periods apply to a certain document or email. There are, for instance, certain commercial letters in terms of § 147 subs. 1, 3 AO (Abgabenordnung – German Tax Code) that are subject to a storage period of 6 years (commercial and business letters), other documents are subject to a storage period of 10 years (books and records, inventories, annual financial statements, annual/ management reports, opening balance sheet and the instructions required for their understanding as well as other organizational documents). When preparing the erasure concept, you can for instance rely on DIN 66398 or other market-usual standards.
To ensure audit-proof archiving in terms of commercial and tax law, documents, emails and other contents are stored in the storage systems in an audit-proof way, based on the PS880 resp. ISAE3000 standard for which d.velop AG has obtained a certification, too. Apart from that, you will presumably have prepared a so-called “procedure documentation” already because such a documentation – which needs to be confirmed by an auditor – is required for the tax authorities to acknowledge audit-proof archiving. This documentation, too, can help you develop the erasure concept.
Where, for instance, a data subject asserts his/her right to erasure under Art. 17 GDPR when he/she has left your company, you have to consider whether you are actually obliged to erase the data. This will in particular be the case when you are no longer entitled to retain a document, email or other contents because the applicable storage period has expired. In this case, storage of the data has been contrary to data protection law already since the time when the storage period expired – presumably already before the data subject has requested erasure. When the storage period has expired and there is no statutory or contractual storage period in terms of § 35 subs. 3 BDSG (Bundesdatenschutzgesetz – German Federal Data Protection Act (new version)) either (Please note: The BDSG (new version) concretizes, among other things, the rights of the data subjects under the GDPR), you are even obliged to erase contents that are stored in an audit-proof manner. If, however, the storage period has not expired yet, you are entitled to continue storage until expiry of the storage period and you have to inform the data subject to that effect. To prevent an unlawful situation from arising in connection with non-satisfaction of the data subjects’ rights, you should provide for automatic erasure to take place when a certain condition occurs (“storage period has expired”) regardless of any specific request (“data subject requests erasure”). The d.velop software enables the implementation of such erasure concepts.