Germany: Hamburg Commissioner for Data Protection and Freedom of Information published guidance on data deletion obligations and revised retention periods

On 19 March 2025, the Hamburg Commissioner for Data Protection and Freedom of Information published guidelines on data deletion obligations and revised retention periods under German law. The guidance reminds companies to review and delete outdated records, particularly those containing personal data, in line with the GDPR and the revised statutory retention periods. The retention periods vary depending on the type of document and legal basis, with standard periods of 6, 8, or 10 years and some sector-specific rules extending up to 30 years. In particular, the Fourth Act on the Reduction of Bureaucracy has shortened the retention period for booking records from 10 to 8 years, a requirement that necessitates adjustments to existing deletion procedures.