The draft Regulation on the Deletion, Destruction and Anonymisation of Personal Data has been disclosed for public comments. These can be submitted through a dedicated form until 12 June 2017.

The draft regulation confirms that data controllers who are under the obligation to register with the Data Controller Registry must also prepare a data retention and disposal policy, as already set forth in the draft Regulation on the Data Controller Registry which was published for comments on 5 May 2017. Those who have no obligation to prepare a data retention and disposal policy, however, must still delete, destruct or anonymise personal data in accordance with the Data Protection Law and other regulations.

The data retention and disposal policy must include information in relation to the purpose of the policy, the recording medium, the definition of legal and technical terms, the grounds for the storage and deletion of personal data, the technical and administrative measures taken to ensure secure storage and prevent unlawful processing and access, the technical and administrative measures taken for the compliant disposal of personal data, the names and responsibilities of those who are involved into the storage and disposal of personal data, and the periodical destruction periods.

The draft regulation defines the deletion of personal data as the process of rendering the data totally impossible to access or use again for relevant users. However, if the deletion of personal data would result in the inability to access and use other data within the system, the data will be deemed deleted if (i) it is archived in a way that it cannot be associated with the data subject, (ii) it has been blocked against access by other organisations or individuals and (iii) all measures have been taken to ensure that it can only be accessed by authorised persons.

In contrast with deletion, destruction is defined as putting the physical storage media on which the personal data is kept in a state where the data can no longer be re-accessed or used. Finally, the draft regulation specifies that anonymisation, which was already defined by the Data Protection Law, implies that the data must be made impossible to associate with any identified or identifiable person through the use of recovery techniques, or by putting it in relation with other data.

Data controllers who must prepare a data retention and disposal policy must delete, destruct or anonymise the personal data they control within the first periodical destruction period (as defined in the policy) after the legal obligation to discard the data appears, i.e., where the legal grounds for the processing to be allowed cease to exist. In the absence of a data retention and disposal policy, such period is 30 days. The periodical disposal periods can be determined by the Data Protection Authority, taking into account the activity and sector, but cannot be longer than 90 days.

The draft regulation finally restates that the data subjects' deletion or destruction requests to data controllers must be fulfilled within 30 days if the legal ground for processing the date no longer exists. If there is still a legal ground to process the data, the data controller may reject such request with a written or electronic notification explaining the reason for the rejection within 30 days.

The regulation is expected to be finalised and published shortly after the public comments period ends and suggestions have been processed; it should enter into force immediately upon publication.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.