Data deletion concept

The deletion concept was developed by top.legal to meet the needs of top.legal's customers, with the aim of ensuring compliance with the General Data Protection Regulation (GDPR). It defines in detail the processes for the secure deletion of data, including contract data, templates and user personal data, which are processed within top.legal's Contract Lifecycle Management (CLM) platform.

The General Data Protection Regulation (GDPR) significantly strengthens the protection of personal data within the European Union and challenges companies to rethink and adapt their data processing practices. A central aspect of this is the obligation to minimize data and the associated deletion of data that is no longer required for the original processing purposes. This section outlines a deletion concept that not only serves to comply with the GDPR, but also takes into account commercial and tax storage obligations (GoBD).

The principle of data minimization requires that only personal data that is directly necessary for the specified purposes be collected and processed. As soon as this data has fulfilled its purpose or it no longer exists and there are no legal retention periods to the contrary, it must be deleted.

The deletion concept was developed by top.legal to meet the needs of top.legal's customers, with the aim of ensuring compliance with the General Data Protection Regulation (GDPR). It defines in detail the processes for the secure deletion of data, including contract data, templates and user personal data, which are processed within top.legal's Contract Lifecycle Management (CLM) platform.

Client (responsible person): Determine the purposes and means of data processing and are responsible for compliance with data protection regulations.

‍top.legal (contract processor): Processes personal data on behalf of customers in accordance with customer instructions and legal requirements.

The implementation of a deletion concept within the framework of the General Data Protection Regulation (GDPR) requires precise coordination between the person responsible, i.e. the client, and the order processor, in this case top.legal.

The deletion concept, which is aimed at minimizing personal data, must first be developed and defined by the client. top.legal is then responsible for the technical implementation of these deletion concepts, based on the client's specific requirements and instructions.

The client must make a thorough inventory of all personal data that is processed within his organization. For the present deletion concept for processing data on top.legal, contract processes are primarily included in the evaluation.

As a result, the inventory analysis should determine which data is required for the respective contract processes and thus form the basis for the deletion concept.

As a result, the inventory analysis should determine which data is required for the respective contract processes and thus form the basis for the deletion concept.

Data categories

The client must make a thorough inventory of all personal data that is processed within his organization. For the present deletion concept for processing data on top.legal, contract processes are primarily included in the evaluation.

The system allows contracts to be created and entered via coordinated submission, precise recording and categorization of data to ensure efficient management and compliance with data protection regulations.

As a rule, these agreements include specific categories of data. However, it should be noted that these categories may vary.

Distribution agreements

• Data categories: The information collected includes customer names, contact details, contract terms (products/services, prices, terms) and payment terms. This data provides a comprehensive overview of business relationships and supports sales management.
• Special categories of personal data: As a rule, there is less reason for supplier agreements to collect special categories of personal data, unless they are contracts relating to individual services that require sensitive information.

Labour contracts

• Data categories: The administration of personnel contracts includes employee data such as name, address, date of birth, contract details (e.g. position, salary, working hours) and, if applicable, information on occupational health benefits.
• Special categories of personal data: Staff contracts often include sensitive data, including health information, that is relevant to occupational health services or special working conditions. This data requires additional security measures to ensure employee privacy.

The length of stay defines the period of time in which personal data may be stored, starting from the time it was collected until the moment when it is no longer required for the originally defined purposes and there are no longer any legal storage obligations or reasons. This period of time is determined by the client in accordance with business requirements and legal and regulatory requirements. Defining the length of stay is a central aspect of data protection management, which ensures that personal data is not stored longer than necessary and is then deleted in accordance with data protection regulations.

Distribution agreements

The length of time spent on customer data and details of sales agreements is based on the duration of the business relationship. After this relationship has ended, a period of time is applied which ensures that data is not stored longer than necessary. The specific duration can be determined based on the client's internal guidelines, which often covers a period of up to ten years after the end of the contract in order to comply with commercial and tax law requirements.

Vendor agreements

For data in connection with supplier agreements, the length of stay is also linked to the duration of the business relationship plus any period that begins after the official end of the agreement. This period allows a reasonable period of time for compliance with all legal obligations and is generally set at up to ten years.

Labour contracts

The retention period of data from personnel contracts depends on the respective employment law requirements of the country in which the company operates. In general, data on salary and employment relationships are stored for up to ten years after termination of the employment relationship. For special categories of personal data, such as health information, a shorter period of stay may be appropriate, depending on specific legal requirements and the consent of the person concerned.

These periods of time serve to ensure data protection and at the same time meet operational and legal requirements. They enable the client to practice data protection-compliant and efficient data management by not keeping personal data longer than necessary.

Implementation in top.legal

top.legal offers a systematic solution for managing the retention time of contract data by automating the recording of the conclusion and expiration dates of contracts. This precise recording enables an effective distinction between active and inactive contracts, which is a fundamental requirement for proper data processing and deletion.

After the retention period of contract data has expired, top.legal offers the option of automatically archiving this data once a year upon request. This is done in accordance with storage requirements set out in commercial and tax regulations and the principles of proper accounting and data processing (GoBD). Archiving serves as a preparatory step before final deletion and is carried out in a digital system that is specifically designed to ensure compliance with these legal requirements. This procedure ensures that all relevant data continues to be stored securely, accessible and in accordance with legal requirements even after the immediate period of use has ended.

top.legal supports the client in complying with the legal retention periods through an annual review to determine which contracts are outside the retention period. The primary responsibility for determining and meeting these deadlines lies with the client. top.legal serves as a tool to improve the overview of contract data and its retention status.

• Determination of storage periods: The client is responsible for determining the exact legal storage periods. This includes setting these deadlines based on the respective legal requirements for each category of contract data.
• Updating deadlines: It is also the client's task to inform top.legal of changes in legal regulations or company guidelines so that the annual review can be adjusted accordingly.

Statutory regulations and storage periods

• Distribution agreements: The retention periods for distribution agreements are generally based on commercial and tax law requirements, which provide for a minimum retention period of ten years from the end of the calendar year in which the contract was concluded.
• Vendor agreements: Similar to distribution agreements, supplier agreements must also be kept for at least ten years in order to meet the requirements of commercial and tax law.
• Staff contracts: Depending on the country, there are different retention periods for personnel contracts, which are defined by employment law regulations. Information on salary and employment relationships must often be kept for up to ten years after the employment contract has ended.

In order to meet the requirements of the General Data Protection Regulation (GDPR) and to store personal data only as long as necessary, it is essential that the client set clear deletion rules for each data category. These rules should be based on the collection date, the expected processing time and the start of the respective retention period. The aim is to minimize the number of deletion rules in order to ensure clarity and manageability.

Distribution agreements

Deletion rule recommendation: It is proposed to keep distribution agreement data for up to 10 years after the end of the contract. This recommendation is based on usual legal retention periods and is intended to ensure that sufficient time is available to effectively process potential inquiries or claims. Of course, this recommendation is flexible and can be adapted to the client's individual requirements and ideas.

exception: Should specific legal requirements require longer storage, the deletion period is adjusted accordingly.

Vendor agreements

Deletion rule recommendation: For data collected as part of supplier agreements, we recommend a retention period of up to 10 years after the end of the business relationship. This period of time is designed to meet commercial law requirements and at the same time meet the needs of the company. However, it should be borne in mind that this recommendation can be amended to better meet the client's specific requirements and ideas.

In the event that certain data is relevant in the context of ongoing or potentially pending legal proceedings, it is possible to store this data beyond the general recommendation until it is clear that it is no longer needed. This exemption is intended to ensure flexible handling and protect the legal position of the company.

Labour contracts

Deletion rule recommendation: It is recommended that data from employment contracts, including payslips and social security information, be kept in accordance with employment law regulations for up to 10 years after the termination of employment. This recommendation takes into account the need to meet employment law requirements and at the same time to provide an appropriate basis for any inquiries or claims.

For special categories of personal data, such as health data, which require greater protection, it is advisable to set more specific and often shorter storage periods. These deadlines are based on the particular protection needs of the respective data category and the applicable legal regulations.

Please note that these recommendations are flexible and can be adapted by the client as required to better meet individual requirements and ideas.

After receiving the client's specific deletion concepts, top.legal implements them technically. This includes programming automated deletion processes, setting up notifications to verify manual deletions, and implementing secure deletion procedures to ensure the unrecoverability of deleted data.

Annual review by top.legal

Identification of expired contracts: Once a year, top.legal carries out a review upon request to identify contracts whose term has been exceeded and are therefore considered inactive. This review includes determining which of these contracts are outside their legal retention period.

Unterstützung bei der Feststellung der Fristabläufe: Für Verträge, die die gesetzliche Aufbewahrungsfrist erreicht oder überschritten haben, bietet top.legal eine unterstützende Funktion, indem es diese Informationen dem Auftraggeber zur Verfügung stellt. Diese Funktionalität erleichtert die Entscheidungsfindung bezüglich der Archivierung oder Löschung von Vertragsdaten.

top.legal supports the client by providing detailed logs and reports on the deletion processes carried out. This documentation serves as proof of GDPR compliance and helps answer inquiries from regulators or data subjects.

The client is responsible for reviewing and adapting the deletion concept. It is his responsibility to regularly evaluate the concept with regard to its timeliness and effectiveness. Adjustments are required to respond to legislative changes, technological advancements and changes in business conditions.

The implementation of a successful deletion concept to minimize data requires the client to actively work with top.legal. The client has the role of developing and specifying the deletion concept, while top.legal is responsible for the technical implementation. This division of labor ensures that personal data is processed securely and efficiently in accordance with the principles of data minimization and the requirements of the GDPR.

top.legal implements technical and organizational measures to ensure the security of data processing and to support the protection of personal data against unauthorised access or unintentional deletion.

The processing of deletion requests from data subjects is an essential part of data protection practice and meets the requirements of the General Data Protection Regulation (GDPR). An effective process for dealing with these requests ensures the rights of data subjects and supports compliance with legal requirements. Here is a guide on how deletion requests from affected parties should be handled:

1. Receipt of the request

Registration: All incoming deletion requests are immediately registered. This includes the date of receipt and the contact details of the requester.

Confirmation: The receipt of the request will be confirmed to the person concerned without undue delay, ideally within 24 hours.

2. Identity verification

Verification: Before processing the request, the identity of the requester must be verified to ensure that the request comes from the data subject himself or an authorized person.

Data protection: The information collected for identity verification is used exclusively for this purpose and is deleted after verification is completed.

3. Review of the request

Legality: It is checked whether the request can be accepted, i.e. whether there are no legal storage requirements or other legitimate reasons preventing the deletion.

Scope of data: It is determined which data from the requester is being processed and whether this data is eligible for deletion.

4. Implementation of deletion

Deletion process: If there are no impediments, the relevant personal data will be securely and irretrievably deleted.

Confirmation: The requester is confirmed that the deletion has been carried out in writing or in another suitable form.

5. Documentation

Verification: The request and its processing, including identity verification, decision on the request and confirmation of deletion, are documented. This documentation serves as proof of GDPR compliance.

6. Rejection of the request

Should the request be rejected, the requestor will be provided with clear reasons for this, including information about the right to lodge a complaint with the relevant data protection supervisory authority.

In order to efficiently handle deletion requests from data subjects in accordance with data protection regulations, a clear division of tasks between the client and top.legal is required. Here is a detailed list of the activities, each of which is carried out by the client and by top.legal:

• Receipt and registration of the request: The client is responsible for initial contact. It registers the deletion request and documents its receipt.
• Identity verification: The client performs the necessary verification of the requestor's identity to ensure that the request is legitimate.
• Review of the request: It is up to the client to check whether the request can be accepted, taking into account legal storage obligations or other legitimate reasons that could prevent deletion.
• Communication with the person concerned: The client informs the person concerned that the request has been received, the result of the review and the measures taken (deletion or rejection of the request).
• Documentation and verification: The client documents the entire process of processing the request, including decision-making and communication with the person concerned.

• Technical implementation of the deletion: As soon as the client orders the deletion, top.legal takes over the technical implementation of the deletion in the systems in order to remove the affected data securely and irretrievably.
• Assistance in identifying the data to be deleted: TOP.legal can provide the client with assistance by providing tools or functions that enable easy identification of the data to be deleted.
• Provision of reports: TOP.legal provides the client with reports that document the deletions carried out. These can be used as part of the verification process.
• Support during the annual review: TOP.legal supports the client in the annual review of contracts to determine which are outside the retention period.

When internal users leave the client, their accounts are initially blocked instead of immediately deleted. This is used to prevent direct access to the platform, while at the same time maintaining the ability to back up or store necessary data.

Once a year, top.legal offers the option of deleting blocked (deactivated) user accounts at the client's request. During this process, personal data is overwritten to protect the privacy of affected users.

If internal users have signed contracts or released documents, there may be storage and documentation obligations that prevent the user from being permanently deleted by overwriting them. In such cases, the negotiation history or contract documentation must be retained, even if the user account is deactivated or deleted.

Personal data processed

• Full name of the user, which is used for personal identification and communication.
• Email address: Serves as a primary means of communication and for logging on to the platform.
• Access times: Information about when the user has accessed the platform can be used for security analyses, usage statistics and to optimize the platform.
• Signed contracts: Documents and contracts signed by the user, including the associated negotiation history and approval processes.
• Document approvals: Information about which documents were approved by the user, including the time and recipient of the approval.

Deletion process

For internal user data, the following steps are taken upon request:

• Review of processed data: Determining which user data is stored and whether specific retention periods or legal requirements influence their deletion.
• Deletion of personal identification information: The user's name and email address are overwritten or deleted to remove the identifiability of the person.
• Handling of access data: Access times and other usage data are deleted if they are no longer required for analysis purposes or are subject to legal retention periods.
• Contractual data: Signed contracts and document approvals are processed in accordance with legal retention periods. If users were directly involved in contracts, it may be necessary to keep certain information as part of the negotiation history, even if the user account is deleted.

Documentation

The deletion of user data and the basis for deciding to retain certain information are documented in order to ensure compliance with data protection laws and to be able to prove it if necessary.

External user accounts can be managed directly by internal users with the appropriate authorization. This includes the ability to remove external users as needed or restrict their access to the platform.