The GDPR stipulates that personal data must be deleted as soon as the purpose for which it was collected ceases to apply. However, there may be regulations for a longer retention period independent of the GDPR. These regulations are usually defined in national legislation, such as retention periods under tax and financial law.

As a reminder: There are also special retention periods for Erasmus+ projects. See the module "Data protection in practice" > Data protection in project follow-up.

Due to the large number of regulations and national differences, we cannot provide any specific deletion periods here. However, our template will help you to document your deletion concept.

Procedure

By documenting the processing activities, you have gained an overview of which personal data is processed in your organisation. Based on this, you can now define when this data is deleted in the deletion concept. 

Check in the following order:

1. Firstly, ask yourself when the purpose of the data processing expires.
2. Then check whether you are subject to other legal regulations when processing the data (e.g. tax or financial laws, regulations for proof of financing or the allocation of public funds).
3. Check whether this results in specific retention periods.
4. You can now use this information to define a deletion rule. The deletion rule consists of a triggering event (e.g. end of the year or termination of the contract) and a deletion period (e.g. 6 months, 1 year, 3 years, etc.).
5. In the last step, clarify how the corresponding deletion rule is implemented. Can the deletion be automated or must a person carry out the deletion manually?  

Templates and documents

• Template of a erasure concept in tabular form (docx-File)
• Information reg. erasure concept (pdf-File)