Personal data must be deleted, for example, after the purpose of the processing no longer applies and the necessary retention periods have expired. It is therefore not permissible to retain personal data for an unlimited period of time.
This principle can be implemented most easily by means of a company-wide deletion concept. Here, the different data categories are classified and the deletion periods are defined for each category. Data records must then be deleted from the IT system after the deadlines have expired.
The WKO Austria has published the following Link created a list of storage and retention periods. These are well suited as a temporal basis when creating a deletion concept.
The frequently assumed misconception that data must also be deleted from the backup system does not apply, of course. In the case of restoring data from a backup, data whose deletion period has been reached must of course be deleted again.
Previous article: Employee Privacy Awareness: #6 Accuracy of Data
Next article: Employee Data Protection Awareness: #8 Data Security