Skip to content
Close
en
de
Book a demo
en
de
Book a demo
About us
Certifications
Career
Newsroom
Events
Whitepaper
Two business people standing in server room with laptop and discussing
Korbinian HermannMar 16, 2026 2:45:51 PM16 min read

GDPR Data Destruction Policy: How Manufacturing Companies Properly Destroy Data

"We delete personal data when we no longer need it." Many companies say this. The GDPR then asks: When do you no longer need it - and can you prove it? Very few have a documented answer to both questions.

The situation is getting worse for production companies: production systems collect personal data in quantities that hardly anyone can keep track of. Machine operator IDs in production logs. User accounts in MES systems. Access data in quality software. Photos of ID documents in plant access systems. Customer data in ERP order histories. All of this is subject to the GDPR - and all of it must be deleted according to a clear concept.

This article explains what a GDPR-compliant deletion concept contains, how the conflict with retention periods under commercial law is resolved, which deletion methods are permitted and when - and how CHRONOS automates the entire process and documents it in an audit-proof manner.

THE MOST IMPORTANT POINTS IN BRIEF

  • A deletion concept in accordance with the GDPR defines for each category of data: when it is deleted (deletion period), how it is deleted (deletion method) and how the deletion is verified (deletion log). Without this concept, every company risks fines of up to 20 million euros.
  • GDPR and HGB/AO contradict each other: Tax-relevant personal data must be stored for up to 10 years according to AO §147, but deleted according to GDPR. Solution: Archiving for a specific purpose - data is retained for tax purposes but blocked for other purposes.
  • Data deletion is not the same as data erasure. 'Deleted' in the sense of the GDPR means that the data can no longer be reconstructed. Simply deleting it from the system while it still exists in the backup is not enough.
  • CHRONOS automates deletion deadlines: data categories are stored with deadlines, deletion processes are logged in an audit-proof manner - as proof for data protection authorities and data subjects.
  • Particularly critical for production companies: MES logs, quality data with employee IDs, access systems, video surveillance and supplier data often contain personal data that goes unnoticed.

IN A NUTSHELL

  • GDPR does not require 'deletion at some point' - it requires a documented concept of when which data is deleted and how. Without a concept, every deletion is not verifiable.

  • The most common compliance pitfall: data is deleted from the production system - but not from backups, archives, test environments and log files. The GDPR requires complete deletion from all systems.

  • The white paper "Why a backup is no longer enough" shows the complete technical framework

What the GDPR specifically requires for erasure

The GDPR contains several standards that establish erasure obligations. The best known is the right to erasure under Art. 17 - the so-called 'right to be forgotten'. But this is only one of several legal bases.

THE FOUR DSGVO OBLIGATIONS RELATING TO ERASURE

  • Art. 5 para. 1 lit. e - Storage limitation: Personal data may only be stored for as long as is necessary for the purpose of processing. This is not an optional rule - it is an obligation to actively delete data.

  • Art. 17 - Right to erasure (right to be forgotten): Data subjects can request erasure. The company then typically has 30 days to delete and inform the data subject.

  • Art. 25 - Data protection by design (Privacy by Design): Deletion periods do not have to be implemented manually - they must be technically embedded. A system without automatic deletion routines does not fulfill Art. 25.

  • Art. 5 para. 2 - Accountability: The company must be able to prove that data has been properly erased. This proof is not possible without an erasure log.

up to € 20 million

GDPR fine max.

Art. 83 para. 5 GDPR

30 days

Time limit for erasure request

Art. 17 GDPR

Art. 5

Obligation to limit storage

GDPR principles

100%

Obligation to erase all systems

Data protection authorities

 

What a deletion concept must contain - the 7 mandatory components

A deletion concept is not an optional document. Data protection authorities expect it as part of the verification process in accordance with Art. 5 para. 2 GDPR (accountability). The following framework corresponds to the standard of the Data Protection Conference (DSK) and the ULD guidelines on erasure concepts.

STEP 1

Processing directory as a basis

Processing directory as a basis

Objective: Complete overview of all data processing operations involving personal data

  • Record all systems that process personal data: ERP, MES, CRM, HR systems, access systems, email, log files
  • For each processing operation: legal basis, purpose, groups of data subjects, data categories, recipients
  • Special feature of production: machine operator IDs in production logs, quality data with personal reference, access systems

Result: Complete processing directory in accordance with Art. 30 GDPR

STEP 2

Define data classes and deletion periods

 

Define data classes and erasure periods

Objective: Assign a specific deletion period and legal basis to each data category

  • Group data categories according to purpose and legal basis (tax obligation, contract, consent, legitimate interest)
  • Deletion period = end of the processing purpose + retention period from other standards, if applicable
  • Conflict check: Where are the GDPR erasure obligation and statutory retention obligation in conflict?
  • Example of employee data: Employment contract ends → blocking of data → tax-relevant data retained for 10 years → then complete erasure

 

Result: Deletion period matrix: Data category → Deadline → Legal basis → Responsible system

STEP 3

Determine technical erasure methods

 

Define technical erasure methods

Goal : Define the appropriate deletion method for each data category and system type

  • Database entries: Cryptographic deletion (destroy keys) or physical deletion
  • Backups: Document backup inclusion of personal data; deletion period according to backup cycle
  • Paper documents: Document destruction in accordance with DIN 66399 (security levels P-2 to P-7 depending on sensitivity)
  • Archive data: Selective deletion of individual data records with deletion log - CHRONOS enables this

 

Result: Technical deletion concept per system category

STEP 4

Define responsibilities and processes

 

Define responsibilities and processes

Objective: Who deletes what - and how is this triggered?

  • Automatic erasure: Store technical erasure deadlines in systems (Art. 25 Privacy by Design)
  • Manual erasure: Process for data subject requests in accordance with Art. 17 (receipt → review → implementation → confirmation)
  • Escalation: What happens if erasure is not technically possible? (e.g. due to retention obligation) → documented exception
  • Responsible parties: DPO, IT, specialist departments - who has which deletion authorizations?

 

Result: Documented deletion process with responsibility matrix

STEP 5

Set up deletion log

 

Set up deletion log

Goal: Document proof of all deletion processes in an audit-proof manner

  • Log every deletion: What was deleted, when, by whom, on what legal basis
  • The deletion log itself must be stored in an audit-proof manner - as proof for authorities and data subjects
  • For requests from data subjects: Confirmation email with reference to deletion log entry
  • Special feature: Deletion from backup systems and archives must also be logged

 

Result: Audit-proof deletion log as proof of compliance

STEP 6

Document exceptions and conflicts

 

Document exceptions and conflicts

Goal: Transparently document cases in which deletion must be postponed

  • Retention obligation: If tax-relevant personal data may not yet be deleted → blocking note + access restrictions
  • Ongoing legal disputes: Data that could be used as evidence must not be deleted
  • Legitimate interest: In individual cases, processing may continue despite deletion request (Art. 17 para. 3)
  • Each exception must be documented with legal basis and expected duration

 

Result: Documented list of exceptions with justifications

STEP 7

Regular review and update

 

Regular review and update

Objective: Deletion concept is not a static document - it must be kept up to date

  • Annual review: Do the defined deadlines still comply with applicable law?
  • For new systems: Adapt the deletion concept before commissioning - not retrospectively
  • Involve the data protection officer: Ensure approval and signature
  • Employee training: All employees with data access know the deletion processes

 

Result: Current, approved deletion concept with version history

 

 

Deletion periods by data category - the reference table

The following table shows retention periods (minimum duration from HGB/AO) and GDPR deletion periods (maximum duration) in direct comparison - for the most common data categories in production companies.

Data category

Retention period

GDPR deletion period

Deletion trigger

Special feature

Customer master data

10 J. (for tax purposes)

After end of contract + tax deadline

End of contract + 10 yrs.

Retain for tax purposes, block for marketing

Order history / invoices

10 J. (AO §147)

Expiry of retention obligation

10 years from invoice date

Delete personal data components after 10 years

Employee master data

10 J. (for tax purposes)

Departure + deadlines

Resignation + 10 years for tax purposes

Applicant data: 6 months after rejection

Wage documents

up to 30 years (SV)

Expiry of pension entitlement

Individual

Check pension notification date as trigger

MES logs (without personal reference)

5-10 J.

No DSGVO obligation

Depending on product liability

As soon as no personal reference: no GDPR problem

MES logs (with machine operator ID)

5-10 J. (product liability)

Purpose not applicable

Pseudonymize after quality check

Pseudonymization as an alternative to deletion

Access system / time recording

2-3 yrs (disputes)

Max. 6 months to 2 yrs.

Company agreement

BetrVG §87 - Involve works council

Video surveillance

72 hours (BDSG §4)

72 h, max. 10 days

Automatically after 72 h

In the event of incidents: Save and document a copy

E-mail inboxes (employees who have left the company)

6 yrs (commercial letters)

30 days after leaving

Departure + 30 days forwarding

Thereafter: Delete or archive and block

Quality data (without personal reference)

10-15 yrs (product liability)

No DSGVO obligation

Depending on industry

In case of doubt, check personal reference

Supplier master data

6-10 J.

End of contract + deadline

End of contract + 10 yrs.

Check contact person data separately

Applicant data

No legal obligation

6 months after rejection

Date of rejection

Consent allows longer storage




GDPR vs. HGB: Conflicts of standards and how production companies resolve them

The most common mistake when dealing with data protection and retention law is to view both standards in isolation. This leads either to GDPR violations (stored for too long) or to tax law risks (deleted too early). The solution lies in a dedicated archiving concept.

NORM CONFLICT: Invoices to private customers

AO §147 / HGB §257

Retention obligation 10 years - even if customer contains personal data

GDPR Art. 17

Deletion as soon as contractual purpose fulfilled and no other reason for processing exists

SOLUTION:

Earmarked archiving: Archive data for tax purposes for 10 years - at the same time technically block for all other purposes (marketing, CRM, product recommendations).

NORMAL CONFLICT: Employee data after termination

AO §147 / Wage law

Retain payroll documents and tax-relevant data for up to 30 years

DSGVO Art. 5

Personal data only as long as absolutely necessary - storage should be minimal after resignation

SOLUTION:

Staged archiving: immediate blocking for operational systems (HR, Active Directory) after leaving. Archive tax-relevant payroll documents separately with access only for the tax/payroll department. Delete non-tax-related data completely.

NORMAL CONFLICT: Supplier data after the end of the contract

HGB §257

Retain contract-related documents for 6-10 years after the end of the contract

DSGVO Art. 17

Delete personal contact data after the end of the contract - no longer an active processing purpose

SOLUTION:

Data separation: Retain company data (supplier GmbH) in accordance with HGB. Delete personal contact data (name, e-mail, telephone of natural persons) after the end of the contract and a reasonable follow-up period

NORM CONFLICT: MES logs with employee IDs

Product liability law

Retain production logs for 5-15 years for product liability evidence

GDPR

Employee IDs in logs are personal data - processing purpose ends with production completion

SOLUTION:

Pseudonymization: Replace employee IDs with pseudonymous codes after quality inspection completion. The original mapping is stored separately and can only be decrypted if necessary (legal dispute). Protocol remains usable for product liability.

 

Special features for production companies: This data is often overlooked

Production companies process personal data in systems that do not appear to be 'data protection systems' at first glance. This is precisely where the most dangerous compliance gaps arise - because no responsibility is clear.

System

Personal data

GDPR relevance

Recommended measure

MES / production SW

Machine operator IDs, shift assignments, performance data

High - direct personal reference

Pseudonymization after quality approval; define deletion period

Access system / locks

Biometrics (fingerprint), access time stamp, photos

Very high - special data category according to Art. 9

Company agreement required; deletion after 72h to 6 months

Video surveillance

Personal recordings, movement profiles

High - special sensitivity

Max. 10 days, secured copy with log in the event of incidents

Quality management system

Inspector IDs, signatures, release logs

Medium - with full traceability High

Pseudonymization possible; product liability has priority

Time recording system

Working hours, breaks, sick notes

High - particularly in need of protection

Observe BetrVG §87; deletion period 2-3 years after works council agreement

ERP system

Customer data, supplier AP, employee data

High - central data storage

Earmarked archiving; blocking/deletion logic per data category

E-mail archive

Communication with customers, employees, authorities

Medium to high

6 years Commercial letters; delete personal content after expiry of deadline

SCADA / IoT systems

Sensor data with operator ID, remote access protocols

Low to medium

Check personal reference; for operator IDs: GDPR-relevant

 

Deletion methods: What 'really deleted' technically means

Erasure in the GDPR sense means that the personal data can no longer be processed and cannot be reconstructed. 'Deleting' a database entry using a DELETE statement is often not enough - the data may still exist in backups, archives, test environments and transaction logs.

Method

Secure?

Verifiable?

Suitable for

Weakness

Logical deletion (DELETE)

No

Conditional

Simple databases without backup requirement

Data often still available in backups/logs

Overwrite (DoD 5220.22-M)

Yes

Conditional

HDDs, magnetic tapes

Not suitable for SSDs and flash memory

Cryptographic erasure

Yes

Yes

Cloud data, encrypted archives

Prerequisite: Encryption from the start

Physical destruction

Yes (100%)

Yes

Defective data carriers, end-of-life

Not scalable; observe DIN 66399

Anonymization

Yes*

Yes

Statistical data, log data

Only if tracing back to a person is really impossible

Pseudonymization

No (subject to GDPR)

Conditionally

Production logs, MES data

Reduces risk - does not completely replace deletion

Selective database archive deletion

Yes

Yes

CHRONOS archive, audit-proof system

Requires archiving system with deletion function

ATTENTION: THE BACKUP TRAP

The most common technical problem: data is deleted from the production system - but the backup that was created 24 hours earlier still contains it.

  • GDPR compliance requires: Deletion from ALL systems - production system, backups, archives, test environments and staging systems.

  • Practical solution: Specify a defined cycle for backup systems, after which the backup is also deleted. Document this cycle in the deletion concept.

  • For archive data: CHRONOS enables the selective deletion of individual data records from the archive - with an audit-proof log. This is the only way to comply with the archiving obligation and GDPR at the same time.

 

CHRONOS: Automated deletion management for production companies

CHRONOS was developed for precisely this challenge: Complying with retention obligations and deletion obligations at the same time - audit-proof, manufacturer-independent and without manual effort. The platform enables what many companies consider impossible: selective deletion of individual data records from an audit-proof archive - with a complete log.

 

Many IT managers think that a deletion concept is a Word document. It is a technical system. Without automation, GDPR-compliant erasure cannot realistically be implemented in production companies.

- Korbinian Hermann Managing Director, CSP Intelligence GmbH

 

Frequently asked questions about the erasure concept and GDPR

As a business, am I required to develop a data erasure policy?

The GDPR does not explicitly mention the term “data erasure policy”—but it contains several obligations that effectively require a documented policy. Article 5(2) (accountability) requires that the organization be able to demonstrate compliance with all data protection principles. Without a documented data erasure policy, this demonstration is not possible. Data protection authorities expect a transparent policy during audits. Failure to do so may result in fines under Article 83 of the GDPR.
How long am I allowed to retain applicants' personal data?

Applicant data may typically be retained for a maximum of 6 months after the application process has been completed (whether the applicant is rejected or accepted). This corresponds to the time limit within which an applicant may still file a discrimination claim under the AGG. After that, the data must be deleted—unless the applicant has expressly consented to remain in a talent pool for a longer period. For accepted applicants, the standard employee data retention periods apply.
Does data also need to be deleted from backups?

Yes – if a right to erasure under Article 17 of the GDPR applies, it applies to all processing systems. In practice, completely erasing data from backups is technically complex. Data protection authorities generally accept a pragmatic solution: the data is deleted from all active systems, and the backup is overwritten during the next backup cycle. This process must be documented. For archived data, CHRONOS is the cleaner solution: selective deletion of individual records is possible.
What is the difference between deleting and anonymizing?

Deletion means that the data is completely and irrevocably destroyed. Anonymization means that the personal reference is removed in such a way that it is no longer possible to identify the individual—even with reasonable effort. Anonymized data is no longer subject to the GDPR. In practice, true anonymization is harder to achieve than is often assumed: pseudonymization (where a key still exists) is not anonymization and remains subject to the GDPR.
How long must the deletion log itself be retained?

The deletion log itself is a record of accountability under Article 5(2) of the GDPR. It should be retained for as long as a legal dispute or an official audit is theoretically still possible. Data protection authorities typically expect the log to be retained for at least three years after the respective deletion. The deletion log itself no longer contains any personal data (only timestamps and data categories)—so there is no GDPR issue with retaining the log for a longer period.
What happens if a data subject requests the deletion of their data and we are legally required to retain it?

Article 17(3) of the GDPR expressly provides for exceptions to the right to erasure—including to comply with a legal obligation. If tax-related data must be retained, the request for erasure may be denied—but only for that purpose. The data subject must be informed of this (reason, legal basis, expected duration). At the same time, all other personal data not protected by a retention obligation must be erased.
Does the data deletion policy also apply to cloud systems?

Yes. When a company processes personal data in cloud systems, the GDPR’s erasure obligations apply in full—regardless of whether the cloud provider is based in the EU or outside it. The data processing agreement (DPA) with the cloud provider must specify how data is to be deleted upon termination of the contract. For cloud archiving solutions, the following applies: Upon exiting the cloud, data must be completely deleted from the provider’s cloud systems, and proof of this must be provided.
How do I create a data deletion policy if I am not a data protection officer?

A pragmatic starting point: Begin with the record of processing activities under Article 30 of the GDPR—this is mandatory for most companies anyway. The data categories are derived from this. For each category: What is the legal basis? When does the purpose end? What statutory retention requirements apply? This determines the retention period. For technical implementation—especially in production environments with complex system landscapes—a DPO or a specialized partner is recommended. CSP offers technical consulting and implementation with CHRONOS.
 

A data retention strategy that really works.

CHRONOS automates retention periods, documents deletion processes in an audit-proof manner, and resolves the conflict between the GDPR and the German Commercial Code (HGB)—without any manual effort.

Request a free consultation
Download the free white paper on audit-proof archiving
avatar
Korbinian Hermann
CEO, CSP Intelligence GmbH
Korbinian Hermann founded CSP with the aim of providing manufacturing companies with the database they need in an emergency. He has 20 years of experience in industrial quality data infrastructure—from data collection to audit-proof long-term archiving.
COMMENTS

RELATED ARTICLES