The HWR may not store the personal data entrusted to it without limitation. It must ensure that data which is no longer required for the purpose of processing is deleted in accordance with data protection regulations. To this end, it is advisable to define concrete deletion deadlines and to check the data files at regular intervals for compliance with the deadlines. Many of the IT programmes used at the HWR offer the option of defining automatic deletion periods.
The GDPR does not stipulate any standard deletion periods. It leaves it up to the data controller to “delete” personal data “without undue delay” as soon as the interest in the storage which justified the processing ceases to exist. However, this does not apply if there is a legal obligation to retain the data.