Personal data is not for the garbage can
Everyone knows the situation: the mailbox is overflowing and the advertising letters end up in the garbage can, or in the company it's time to empty the filing cabinet again. But can documents containing (third-party) personal data such as name, address, customer number or birthday simply be disposed of in the paper garbage can? And if not, how are such documents disposed of in a manner that complies with data protection regulations?
Disposal in operation
Since the GDPR came into force, companies have been striving to keep sensitive documents locked away, to comply with storage periods and to protect the rights of those affected. Far too often, however, the documents end up in the paper garbage can after the storage period, torn through at best, while external storage media with backups can often be found in the household trash, even in usable condition.
This is a major weak point and regularly gives supervisory authorities cause for complaint, especially since the paper garbage can, which is located on the public road, can be viewed quite easily. These embarrassments should of course be avoided.
One of the rights of data subjects under the GDPR is found in Art. 17 I GDPR, namely the right to erasure or the "right to be forgotten". After an erasure according to the GDPR, there may no longer be a possibility to exercise the personal data concerned without disproportionate effort. The way in which this must be done is not specified by the GDPR. The basic idea is only that it should actually be impossible for anyone to take note of the stored data at any time. It does not matter whether the data could theoretically be recovered by means of a special program.
It is also derived from the purpose limitation principle (Art. 5 I DSGVO) that all data that is no longer required for the original purpose of collection must be deleted without a separate request by the data subject. In practice, this is particularly the case when retention obligations expire or an employment relationship or customer relationship comes to an end.
Special rules exist in national law only for paper files in accordance with § 35 I 1 BDSG if deletion can only take place with disproportionate effort.
A breach of the deletion obligations may result in fines of up to €20 million or 4% of the total annual global revenue generated in the previous financial year.
In addition, data subjects also have the right to transparent information about the storage period of the data.
In practice, disposal depends not only on the factor of basically existing possibilities, but also on safety levels, effort and available equipment.
In the case of encodings or virtual links, a reliably irreversible erasure process is needed. In the case of rewritable media, special erasure software must be used to prevent recoverability, but this must always be assessed on a case-by-case basis, particularly with regard to the effort required. In any case, it is not sufficient to take only organizational measures or to simply dispose of data carriers in their original form. In the case of paper documents, hard disks, magnetic tapes, USB sticks, CD-ROMs, DVDs, optical storage media, films and similar data carriers, physical destruction is the main option.
For disposal, certain DIN standards (DIN EN 15713, DIN 66398 and DIN 66399) can be used as a guide. Here you will find classifications in security levels and requirements for document shredders. However, these standards do not have the character of law and the GDPR does not refer to them, so they only serve as orientation.
In addition, the German Federal Office for Information Security (BSI) has issued the Technical Guideline BSI-TL 03420, which concerns the deletion and destruction of information on data carriers that requires protection. This can also help with orientation.
In practice, consultation should always be held with the data protection officer or other specialist personnel in order to develop the most suitable concept for one's own company.
Disposal in private household
Even in a private context, advertising letters or similar documents containing personal data are often disposed of far too carelessly in paper waste without making the personal data unrecognizable. Always keep in mind that it is very easy to access a trash can that is open on the street. Better play it safe and shred documents that contain your name, address, customer number, birthday or other data.