Legal notice: This content has been prepared and reviewed with the greatest possible care. Nevertheless, top.legal does not warrant the correctness, completeness or topicality of the information provided.
The information provided is also general in nature and does not serve as individual legal advice. For specific legal questions, particularly relating to the General Data Protection Regulation (GDPR), we strongly recommend consulting a qualified attorney.
Introduction
The deletion concept has been tailored to the needs of top.legal customers with the aim of ensuring compliance with the General Data Protection Regulation (GDPR)
It defines in detail the processes for the secure deletion of data, including contract data, templates and personal data of users that are processed within top.legal's Contract Lifecycle Management (CLM) platform
The General Data Protection Regulation (GDPR) significantly strengthens the protection of personal data within the European Union and challenges companies to rethink and adapt their data processing practices
A central aspect is the obligation of data minimization and the related duty to delete data that is no longer required for the original processing purposes
This section outlines a deletion concept that not only serves to comply with the GDPR but also takes into account commercial and tax-law retention obligations (GoBD)
The principle of data minimization requires that only such personal data be collected and processed as is directly necessary for the specified purposes
Once such data has fulfilled its purpose or that purpose no longer exists and no statutory retention periods prevent it, the data must be deleted
Objective
The deletion concept has been tailored to the needs of top.legal customers with the aim of ensuring compliance with the General Data Protection Regulation (GDPR)
It defines in detail the processes for the secure deletion of data, including contract data, templates and personal data of users that are processed within top.legal's Contract Lifecycle Management (CLM) platform
Responsibilities
Client (Controller): Determines the purposes and means of data processing and is responsible for compliance with data protection regulations
top.legal (Processor): Processes personal data on behalf of the Client in accordance with the Client's instructions and legal requirements
Implementation of the deletion concept at top.legal
Implementing a deletion concept under the General Data Protection Regulation (GDPR) requires precise coordination between the controller (the Client) and the processor (in this case, top.legal)
The deletion concept, focused on the minimization of personal data, must first be developed and defined by the Client
top.legal is then responsible for the technical implementation of these deletion concepts, based on the Client's specific requirements and instructions
The Client must conduct a thorough inventory of all personal data processed within its organization
For the present deletion concept regarding data processing on top.legal, contract processes are primarily included in the evaluation
The inventory analysis should determine which data are required for the respective contract processes and thus form the basis for the deletion concept
The system enables the creation and capture of contracts via agreed templates and the precise capture and categorization of data to ensure efficient management and compliance with data protection regulations
As a rule, the named agreements cover specific data categories, although these categories can vary
Sales agreements
Data categories: The information collected includes customer names, contact details, contract terms (products/services, prices, durations) and payment terms; this data enables a comprehensive overview of business relationships and supports sales management
Special categories of personal data: There is generally less occasion to collect special categories of personal data in supplier agreements, unless the contracts concern individual services that require sensitive information
Personnel contracts
Data categories: The management of personnel contracts covers employee data such as name, address, date of birth, contract details (such as position, salary, working hours) and, where applicable, information on company health benefits
Special categories of personal data: Personnel contracts often contain sensitive data including health information that is relevant for company health benefits or special working conditions; this data requires additional protective measures to safeguard employee privacy
The retention period defines the time during which personal data may be stored, starting from the moment of collection until the data is no longer required for the originally defined purposes and no legal retention obligations or grounds remain
This period is determined by the Client in accordance with business requirements and legal and regulatory specifications
Defining the retention period is a central aspect of data protection management, ensuring that personal data is not kept longer than necessary and is subsequently deleted in compliance with data protection rules
Sales agreements
The retention period for customer data and details of sales agreements is based on the duration of the business relationship; after this relationship ends, a deadline is applied to ensure that data is not stored longer than necessary
The specific duration can be set based on the Client's internal policies and frequently covers a period of up to ten years after the end of the contract in order to meet commercial and tax-law requirements
Supplier agreements
For data in connection with supplier agreements, the retention period is likewise linked to the duration of the business relationship plus an optional deadline that begins after the official end of the agreement
This deadline allows an appropriate period to fulfill all legal obligations and is generally set at up to ten years
Personnel contracts
The retention period for data from personnel contracts is governed by the labor-law requirements of the country in which the company operates
Generally, data on salary and employment is kept for up to ten years after the end of the employment relationship
For special categories of personal data such as health information, a shorter retention period may be appropriate, depending on specific statutory requirements and the consent of the data subject
These retention periods serve to ensure data protection while meeting operational and legal requirements, enabling the Client to practice data-protection-compliant and efficient data management
Implementation in top.legal
top.legal provides a systematic solution for managing the retention period of contract data by automating the capture of contract conclusion and expiry dates
This precise capture enables effective differentiation between active and inactive contracts, a fundamental prerequisite for proper data processing and deletion
Once the retention period of contract data has expired, top.legal offers the option to automatically archive this data once a year on request
This is done in accordance with retention requirements set by commercial and tax-law rules and the principles of proper bookkeeping and data processing (GoBD)
Archiving serves as a preparatory step before final deletion and takes place in a digital system specifically designed to ensure compliance with these legal requirements
top.legal supports the Client in complying with statutory retention periods by means of an annual review to determine which contracts fall outside the retention period
Primary responsibility for determining and complying with these periods lies with the Client; top.legal serves as a tool to improve oversight of contract data and its retention status
Determining retention periods: The Client is responsible for the precise determination of statutory retention periods, including setting these periods based on the respective legal requirements for each category of contract data
Updating deadlines: It is likewise the Client's task to inform top.legal of changes to legal regulations or company policies so that the annual review can be adjusted accordingly
Statutory regulations and retention periods
Sales agreements: The retention periods for sales agreements are generally based on commercial and tax-law specifications, which provide for a minimum retention period of ten years from the end of the calendar year in which the contract was concluded
Supplier agreements: Similar to sales agreements, supplier agreements must also be retained for at least ten years to meet the requirements of commercial and tax law
Personnel contracts: For personnel contracts, retention periods vary by country and are set by labor-law provisions; information on salary and employment is often to be retained for up to ten years after the end of the employment relationship
To meet the requirements of the General Data Protection Regulation (GDPR) and to keep personal data only as long as necessary, the Client must establish clear deletion rules for each data category
These rules should be based on the date of collection, the expected processing time and the start of the respective retention period
The goal is to minimize the number of deletion rules to ensure clarity and manageability
Sales agreements
Recommended deletion rule: We suggest retaining data on sales agreements for up to 10 years after the end of the contract; this recommendation is based on customary statutory retention periods and is intended to ensure that sufficient time is available to handle any inquiries or claims effectively
Exception: Should specific legal requirements demand a longer retention, the deletion period will adjust accordingly
Supplier agreements
Recommended deletion rule: For data collected within the scope of supplier agreements, we recommend a retention period of up to 10 years after the end of the business relationship; this period is designed to meet commercial-law requirements while also accommodating the company's needs
If certain data is relevant in the context of pending or potentially upcoming legal proceedings, there is the option to store this data beyond the general recommendation until it is established that it is no longer needed
Personnel contracts
Recommended deletion rule: It is suggested that data from personnel contracts, including payroll statements and social insurance information, be retained in accordance with labor-law requirements for a period of up to 10 years after the end of the employment relationship
For special categories of personal data such as health data, which have a higher protection requirement, it is advisable to apply more specific and often shorter retention periods that align with the special protection needs of the respective data category and applicable legal requirements
Please note that these recommendations are flexible and can be adapted by the Client as needed to better suit individual requirements
After receiving the Client's specific deletion concepts, top.legal implements them technically; this includes the programming of automated deletion processes, the setup of notifications for reviewing manual deletion operations and the implementation of secure deletion procedures to ensure the irrecoverability of deleted data
Annual review by top.legal
Identification of expired contracts: Once a year, top.legal performs a review on request to identify contracts whose term has been exceeded and which are therefore considered inactive; this review includes determining which of these contracts fall outside their statutory retention period
Support in determining deadline expiry: For contracts that have reached or exceeded the statutory retention period, top.legal provides a supporting function by making this information available to the Client, facilitating decisions about the archiving or deletion of contract data
top.legal supports the Client by providing detailed logs and reports on the deletions performed; this documentation serves as proof of GDPR compliance and helps in responding to inquiries from supervisory authorities or data subjects
Regular review and adjustment
The review and adjustment of the deletion concept is the Client's responsibility; it is the Client's duty to regularly evaluate the concept for its currency and effectiveness
Adjustments are required to respond to legislative changes, technological advances and changes in business conditions
Implementing a successful deletion concept for data minimization requires the Client to actively cooperate with top.legal; the Client's role is to develop and specify the deletion concept, while top.legal is responsible for the technical implementation
Through this division of work, personal data is processed securely and efficiently in accordance with the principles of data minimization and the requirements of the GDPR
Technical and organizational measures
top.legal implements technical and organizational measures to ensure the security of data processing and to help protect personal data from unauthorized access or unintentional deletion
Handling deletion requests from data subjects
Handling deletion requests from data subjects is an essential part of data protection practice and corresponds to the requirements of the General Data Protection Regulation (GDPR)
An effective procedure for handling these requests safeguards the rights of data subjects and supports compliance with legal regulations
- 01Receipt of the request — Registration: All incoming deletion requests are registered immediately, including the date of receipt and the contact details of the requester; Confirmation: Receipt of the request is confirmed to the data subject without undue delay, ideally within 24 hours
- 02Identity verification — Verification: Before processing the request, the identity of the requester must be verified to ensure that the request comes from the data subject or an authorized person; Data protection: Information collected for identity verification is used exclusively for this purpose and deleted upon completion of the verification
- 03Review of the request — Lawfulness: It is reviewed whether the request can be granted, specifically whether no statutory retention obligations or other legitimate grounds preclude deletion; Data scope: It is determined which data of the requester is processed and whether this data is eligible for deletion
- 04Implementation of the deletion — Deletion process: If no obstacles exist, the relevant personal data is deleted securely and irretrievably; Confirmation: The performance of the deletion is confirmed to the requester in writing or in another suitable form
- 05Documentation — Record keeping: The request and its processing, including identity verification, the decision on the request and confirmation of deletion, are documented; this documentation serves as proof of GDPR compliance
- 06Refusal of the request — Should the request be refused, the requester is given a clear justification, including information on the right to lodge a complaint with the competent data protection supervisory authority
Receipt and registration of the request: The Client is responsible for the first contact, registers the deletion request and documents its receipt
Identity verification: The Client performs the necessary verification of the requester's identity to ensure that the request is legitimate
Review of the request: It is incumbent on the Client to review whether the request can be granted, taking into account statutory retention obligations or other legitimate grounds that may oppose deletion
Communication with the data subject: The Client informs the data subject of the receipt of the request, the outcome of the review and the measures taken (deletion or refusal of the request)
Documentation and record keeping: The Client documents the entire process of handling the request, including decision-making and communication with the data subject
Technical implementation of the deletion: As soon as the Client orders deletion, top.legal performs the technical deletion in the systems to securely and irretrievably remove the affected data
Support in identifying the data to be deleted: top.legal can assist the Client by providing tools or features that enable easy identification of the data to be deleted
Provision of reports: top.legal provides the Client with reports documenting the deletions performed; these can be used as part of record keeping
Support with the annual review: top.legal supports the Client in the annual review of contracts to determine which fall outside the retention period
Procedure for the deletion of user data
When internal users leave the Client, their accounts are first deactivated rather than immediately deleted; this serves to prevent direct access to the platform while preserving the ability to secure or retain necessary data
Once a year, top.legal offers the option to delete deactivated user accounts on the Client's request; in this process, personal data is overwritten to protect the privacy of the affected users
If internal users have signed contracts or released documents, retention and proof obligations may exist that prevent the final deletion of the user by overwriting; in such cases, the negotiation history or documentation of the contracts must be preserved even if the user account is deactivated or deleted
Processed personal data
Full name of the user, used for personal identification and communication
Email address: Serves as the primary means of communication and for logging into the platform
Access times: Information about when the user accessed the platform, used for security analyses, usage statistics and platform optimization
Signed contracts: Documents and contracts signed by the user, including the associated negotiation history and release processes
Document releases: Information about which documents have been released by the user, including the time and recipient of the release
Deletion process
When deleting internal user data, the following steps are taken on request:
Review of processed data: Determining which data of the user is stored and whether specific retention periods or legal requirements affect their deletion
Deletion of personally identifying information: The name and email address of the user are overwritten or deleted to remove the identifiability of the person
Handling of access data: Access times and other usage data are deleted, provided they are no longer needed for analysis purposes or subject to statutory retention periods
Contract-related data: Signed contracts and document releases are handled in accordance with statutory retention periods; if users were directly involved in contracts, certain information may need to be retained as part of the negotiation history even if the user account is deleted
Documentation
The deletion of user data and the basis for retaining certain information are documented to ensure compliance with data protection laws and to demonstrate this when required
External user accounts can be managed directly by internal users with the appropriate permission; this includes the ability to remove external users when necessary or to restrict their access to the platform