Archiving and destruction processes for data sets


Organization must document the retention periods for data sets and their possible archiving process (including archiving method, location or destruction). At the end of the retention period, the data must be archived or destroyed without delay in a secure manner.

When destroying data contained in data systems, the following points should be taken into account:

  • suitable method of destruction (e.g. overwriting, cryptographic erasure ) is chosen taking into account the functional and statutory requirements
  • the need to preserve evidence of data destruction is discussed
  • when using third parties for data destruction, the requirement of evidence and the inclusion of destruction requirements in supplier contracts are discussed

The process of archiving or destroying data is defined in connection with the documentation, and the owner of the data is responsible for its implementation.

Connected other frameworks and requirements:
PR.IP-6: Data destruction
A.7.4.5: PII de-identification and deletion at the end of processing
ISO 27701
A.7.4.8: Disposal
ISO 27701
8.10: Information deletion
ISO 27001
No items found.