Deletion of data and storage period
We will generally delete or block personal data once the purpose of the storage of the data no longer applies. Furthermore, data may also be stored if this storage is permitted by the European or national legislative authorities in EU regulations, laws or other guidelines to which we as controller are subject. Data is also deleted or made unavailable to users once the storage period defined by the specified norms elapses as long as continued storage of the data is not required in order to conclude or perform a contract.
Specifically, this means:
When we process personal data on the basis of consent given to the processing of data (Article 6(1)(a) of the EC General Data Protection Regulation or GDPR), processing ends when you withdraw your consent, unless there is another valid legal reason for your data to be processed, which is the case when we are still authorized to process your data for the purpose of performance of a contract at the time when consent is withdrawn, or when data processing is necessary for the purposes of our legitimate interests (see below for further information).
If, in exceptional cases, we process data on the basis of our legitimate interests (Article 6(1)(f) of the GDPR) as part of considerations made prior to the processing, we store this data until these legitimate interests no longer apply, the consideration results in a different conclusion, or you object to the processing pursuant to Article 21 of the GDPR (see highlighted text under “Information on special right to object” under C.).
If we process data necessary for the performance of a contract, then we store this data until the contract has been completely fulfilled and settled and none of the claims from the contract can be asserted, meaning when the statute of limitations has elapsed. The general statute of limitations in accordance with Paragraph 195 of the German Civil Code (BGB) is three (3) years. However, certain claims, such as claims for damages, have a statute of limitations of 30 years (see Paragraph 197 of the BGB). If there is legitimate grounds to believe that this may be relevant in specific cases, we will save a data subject’s personal data for this period of time. The statute of limitations specified start at the end of the year (December 31) in which the claim arose and the creditor became aware of the circumstances giving rise to the claim and of the debtor, or must have become aware of them in the absence of gross negligence.
Here, we would like to point out that we are also subject to statutory retention obligations for tax and accounting purposes. In accordance with these obligations, we must store certain data, which could include personal data, as proof for the purposes of our accounting over a period of six (6) to ten (10) years. These retention periods override the obligations to delete data described above. The retention periods also begin at the end of the year in question, meaning on December 31 of that year.