During the investigation, the Detective discovered that ABC enters into life insurance contracts as part of its business activity. After the term of contract has expired, ABC retains these contracts to protect its legitimate interests. Nevertheless, there is no legal regulation specifying a uniform period for keeping life insurance contracts or individual personal data included therein. It is the company’s responsibility to specify the deadlines.

The Detective reminds
The storage limitation rule requires that the processed personal data be stored for no longer than is necessary for the purposes for which they are processed. What comes next? To ensure that the entire process is in line with the GDPR, each such printed document containing personal data must be shredded immediately after the expiry of the period for processing all personal data contained therein.
Please note that to ensure compliance with the storage limitation rule, the controller must introduce rules for shredding documents containing personal data.

The Detective recommends

1. Specify for each printed document which data it contains and for which processing purposes it is determined. Note that there is a period determined for each item of personal data over which the processing thereof is necessary.
2. Specify the period over which you are authorised to keep the specific document. Do not forget that the deadline shall expire together with the last deadline for erasing personal data included in the respective document.
3. Introduce a process in your company to ensure that the document will be shredded prior to the expiry of the respective deadline.

After the Detective’s visit, ABC decided that… The period over which contracts must be stored will be 10 years after the contractual relation has terminated. The Civil Code stipulates that the right to insurance payment will become time-barred in this period, which substantiates ABC’s interest in storing this contract for the purpose of defending its rights. After the expiry of the set deadline, the respective documents must be shredded.

The article is part of dReport – July 2018, Legal news.

Do you need to resolve a case that is similar or different to this one? Make an appointment with the Detective and order our online application GDPR Detective. Our Detective will resolve the mysteries of personal data protection for you, even if you have already missed the deadline!

DO NOT MISS OTHER TOPICS…

Please note that in relation to the GDPR it is also necessary to adjust the period over which companies may store CCTV records. The Detective will help you.

How one shall handle data concerning job applicants and existing employees and how the sharing of photographs from a company Christmas party will be affected by the GDPR is also discussed in our next summary not only for HR professionals.