If you are interested in ecology and recycling - sign up for our newsletter
Data Destruction and GDPR
With the implementation of the European Union's General Data Protection Regulation (GDPR), the rules for processing, storing, and destroying data have been regulated and specified. According to the overriding principle of this regulation, personal data should be disposed of in such a way as to prevent their reconstruction. Improper data destruction, if inspected, can lead to high penalties from the General Data Protection Inspectorate. Therefore, it is crucial to carry out data destruction well and effectively. GDPR does not specify a method for data destruction, so there is flexibility. The most important aspect from the perspective of the EU regulation is the immediate deletion of all data for which the legal interest of the administrator in their processing has ceased.
Data Destruction - The Currently Applicable Standard
Currently, DIN 66399 standard, developed by the German Committee for Standardization in Information Technology and Applications (Standards Committee for Information Technology and Applications), governs document destruction. This standard was created in response to the dynamic development and emergence of data carriers other than paper, to accommodate new needs and technologies. DIN 66399 regulates the requirements and obligations for the secure destruction of documents and data carriers. Familiarity with this standard is essential in the data destruction industry, as well as for manufacturers of destruction devices and systems.
DIN 66399 identifies 6 types of data carriers, including CDs/DVDs, hard drives, memory cards, chip cards, and magnetic tape cards. It also differentiates 3 classes of data protection: the first class should guarantee a standard level of protection, the second class - used for confidential documents available to a select few - requires increased data protection. The last - protection class 3 - represents the highest level of protection, covering confidential and secret data, the disclosure of which would pose very serious consequences for a company or institution.
Data and Data Carrier Destruction - Do It Yourself or Entrust a Specialized Entity?
An entity processing and storing personal data - on physical carriers or in electronic form - can undertake the task of their destruction when the legal interest in processing them ceases. Alternatively, services of a specialized entity can be used. To ensure everything is in accordance with the law and current regulations, an appropriate agreement should be signed before handing over carriers or data for destruction. This agreement should define the scope of action, the entity's obligations, deadlines, and remuneration. From the GDPR perspective, the most crucial aspect is drafting a data processing agreement with such an entity. Companies specialized in destroying documents and data carriers guarantee that they have the appropriate technical and organizational means to remove documents in accordance with GDPR regulations. After data elimination, the entity that performed this action should prepare a handover protocol and issue a certificate confirming the destruction of the documents (usually attached to the VAT invoice).