Personal data is not for the garbage can

Everyone knows the situation: the mailbox is overflowing and the advertising letters end up in the garbage can, or in the company it's time to empty the filing cabinet again. But can documents containing (third-party) personal data such as name, address, customer number or birthday simply be disposed of in the paper garbage can? And if not, how are such documents disposed of in a manner that complies with data protection regulations?

Disposal in operation

Since the GDPR came into force, companies have been striving to keep sensitive documents locked away, to comply with storage periods and to protect the rights of those affected. Far too often, however, the documents end up in the paper garbage can after the storage period, torn through at best, while external storage media with backups can often be found in the household trash, even in usable condition.

This is a major weak point and regularly gives supervisory authorities cause for complaint, especially since the paper garbage can, which is located on the public road, can be viewed quite easily. These embarrassments should of course be avoided.

Legal basis

Eines der Betroffenenrechte aus der DSGVO findet sich in Art. 17 I DSGVO, nämlich das Right to deletion oder auch das „Recht auf Vergessenwerden“. Nach einer Löschung nach der DSGVO darf keine Möglichkeit mehr bestehen, die betroffenen personal data ohne unverhältnismäßigen Aufwand wahrzunehmen. Die Art und Weise wie dies zu geschehen hat, legt die DSGVO nicht fest. Der Grundgedanke ist nur, dass die Kenntnisnahme der gespeicherten Daten für jedermann zu jeder Zeit tatsächlich unmöglich sein soll. Es kommt dabei nicht darauf an, ob die Daten theoretisch mittels eines speziellen Programmes wiederhergestellt werden könnten.

It is also derived from the purpose limitation principle (Art. 5 I DSGVO) that all data that is no longer required for the original purpose of collection must be deleted without a separate request by the data subject. In practice, this is particularly the case when retention obligations expire or an employment relationship or customer relationship comes to an end.

Special rules exist in national law only for paper files in accordance with § 35 I 1 BDSG if deletion can only take place with disproportionate effort.

A breach of the deletion obligations may result in fines of up to €20 million or 4% of the total annual global revenue generated in the previous financial year.

In addition, data subjects also have the right to transparent information about the storage period of the data.

Practical implementation

In practice, disposal depends not only on the factor of basically existing possibilities, but also on safety levels, effort and available equipment. 

In the case of encodings or virtual links, a reliably irreversible erasure process is needed. In the case of rewritable media, special erasure software must be used to prevent recoverability, but this must always be assessed on a case-by-case basis, particularly with regard to the effort required. In any case, it is not sufficient to take only organizational measures or to simply dispose of data carriers in their original form. In the case of paper documents, hard disks, magnetic tapes, USB sticks, CD-ROMs, DVDs, optical storage media, films and similar data carriers, physical destruction is the main option.

For disposal, certain DIN standards (DIN EN 15713, DIN 66398 and DIN 66399) can be used as a guide. Here you will find classifications in security levels and requirements for document shredders. However, these standards do not have the character of law and the GDPR does not refer to them, so they only serve as orientation.

In addition, the German Federal Office for Information Security (BSI) has issued the Technical Guideline BSI-TL 03420, which concerns the deletion and destruction of information on data carriers that requires protection. This can also help with orientation.

In practice, consultation should always be held with the data protection officer or other specialist personnel in order to develop the most suitable concept for one's own company.

Disposal in private household

Auch im privaten Rahmen werden oft viel zu leichtsinnig Werbeschreiben oder ähnliche Dokumente mit persönlichen Daten im Papiermüll entsorgt, ohne die personal data unkenntlich zu machen. Denken Sie immer daran, dass es sehr einfach ist, auf eine Mülltonne, die offen an der Straße steht, zuzugreifen. Gehen Sie lieber auf Nummer sicher und schreddern Sie Dokumente, die Ihren Namen, Adresse, Kundennummer, Geburtstag oder andere Daten enthalten.