Frequently asked questions about the AVG

Below are four questions that have been fired at us a lot in recent weeks. Of course, we are happy to talk to anyone in person, but it might give some clarity to answer the questions here as well.

1. Should you be able to delete all data?

No. In fact, not all personal data should be removable. Anyway, the right to oblivion in the AVG relates only to personal data, and even then, there may be laws that outweigh the personal right to oblivion. Consider medical records: the legal retention requirement is 15 years after the last change.

2. What about WORM storage and AVG?

WORM: Write Once Read Many. The AVG requires that data can be deleted, but a WORM storage does not allow that. We nevertheless have a solution for it. Our WORM systems have the ability to specify a retention time per volume to comply with required privacy laws. For this, you specify in advance how long data will be kept before it is automatically deleted from the database. In accordance with legal requirements, this makes data inaccessible after a certain period of time – that is, forgotten. The latest versions now offer this option on a per-record basis so that retention time can be set individually. By the way, if there is any personal data without retention on a WORM storage, it is actually misused. Data that does not have a retention requirement does not belong on a medium that was created precisely to comply with the retention requirement.

3. Have we done well so far?

Many customers report having secure storage from which they can erase. And the records are kept neatly. But the AVG says that when storing, you have to take into account the state of the art in conjunction with the context of the data. The technology must be stable enough to ensure that data is available and protected. So don’t take an old storage system and think: that’s good enough.

4. What about the burden of proof?

The AVG reverses the burden of proof. So those who have stored personal data must be able to prove that this data has been stored, recorded and, if desired, deleted in accordance with the law. This requires, for example, a logbook that keeps track of these issues.

Other questions? Feel free to ask them, we are happy to serve you!