- Liechtenstein’s recommendation makes a clear distinction between “erasure” (irreversible obliteration) and “destruction” (including destruction of the data carrier).
- The draft of the Swiss DPA allows data controllers to choose between erasure and destruction; standard erasure orders are already deemed to be erasure.
The data protection office of the Principality of Liechtenstein has recently launched a Recommendation for the destruction of personal data published. The document is available as a PDF at the following link: www.llv.li/files/dss/pdf-llv-dss-empfehlung-vernichtung-von-daten.pdf. Like the draft Swiss DPA, the Recommendation distinguishes between “erasure” and “destruction” of data. It defines the terms as follows:
At Deletion the Irretrievable destruction or rendering unrecognizable and thus understood to mean the irreversible removal of personal data stored in data collections. This means that previously existing personal data is no longer present or unrecognizable after the process of deletion – the erasure process – and can no longer be reconstructed. Any data carrier can usually be written to and used again after deletion.
At the Destruction the data carrier itself is also destroyed:
In colloquial language, the term destruction is used when the information or the personal reference also the data carrier itself is destroyed.
The document leans obvious and is based on the same concept of deletion. This is not defined in the GDPR; however, the GDPR however, also understands deletion as a process that excludes the perception of the information embodied in the date without disproportionate effort (whereby it is not only a matter of the possibilities of the person responsible).
The draft FADP does not contain a legal definition of destruction or deletion. However, the message comments on this as follows:
The term “Destroy” is stronger than the term “delete” and implies that the data is irretrievably destroyed. If the data exists on paper, this is to be burn or to shred. The destruction of electronic data is more difficult. If the data was transmitted by means of a CD or a USB stick, the data carrier must be rendered unusable and all copies must be handled in such a way that the data can no longer be made readable. In the case of personal data that was transmitted as an attachment to an e‑mail, any intermediate storage of this e‑mail must also be destroyed. Usual deletion commands or a mere reformatting do not represent a destruction, but a deletion.
There are significant differences to the GDPR and the recommendation from Liechtenstein: According to the embassy common delete commands” are already sufficient for a deletion. This is underlined by the fact that “destruction” as definitive deletion refers not only to data carriers – as in the Liechtenstein recommendation – but also to data. Conversely, this confirms that “normal” deletion does not constitute definitive deletion. This is clearly stated in the message following the leading decision BVGE 2015/13.
Interestingly, the draft FADP nowhere explicitly requires destruction; it speaks of “destruction or deletion” in each case. Thus, in each case it should be be left to the person responsible, whether it “deletes” or “destroys”, in application of the principles of data security and thus on the basis of a risk assessment.
For companies in the process of implementation, this is good news: If the GDPR standard is anchored as a group standard, which is common for operational reasons and legal risk considerations, no adaptation for the GDPR will be required in the area of deletion concepts.