Under Article 28(3)(g) the contract must say that at the end of the contract the processor must:
- at the controller’s choice, delete or return to the controller all the personal data it has been processing for it; and
- delete existing copies of the personal data unless EU or Member State law requires it to be stored.
It should be noted that deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32.
The contract must include these terms to ensure the continuing protection of the personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.
The ICO appreciates the practical reality that it may not be possible for data in backups or archives to be deleted immediately on termination of a contract. Provided appropriate safeguards are in place, such as the data being put immediately beyond use, it may be acceptable that the data is not deleted immediately if the retention period is appropriate and the data is subsequently deleted as soon as possible, eg on the processor’s next deletion/destruction cycle.