Standard Standard of the month January 2018 2016-05
About this standard
When it comes to deleting personally identifiable information, companies often have problems knowing how to implement the provisions of the German Federal Data Protection Act (BDSG). According to the BDSG, personally identifiable information is to be deleted without delay if they are no longer needed for the pursued purpose or if the data subject's legitimate interests stand in the way of any further storage. Likewise, the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation) also need to be observed. However, an effective data deletion concept often offers further benefits to companies over and above the knowledge that they are complying with the law.
DIN 66398 provides guidance to help companies develop a concept for deleting PII in an efficient way. The standard gives recommendations for the contents, the structure and the allocation of responsibilities in the deletion concept. The procedure described and the proposed structuring are suitable for all PII controllers and are based on the assumption that the consistent deletion of PII throughout an organization requires a workable compromise between legal provisions and practical requirements.