Dealing with Data Deletion Requests and Data Protection Incidents
We are under obligation to delete person-related data upon request and to report data protection incidents.
The Arolsen Archives are under an obligation to delete person-related data upon request and to report data protection incidents. Learn more about our procedures here.
The Arolsen Archives receive thousands of inquiries per annum. To process these tracing inquiries, our staff open digital case files known as Tracing/Documentation files – or T/D files for short. This documentary collection includes sensitive data on users, which are subject to data protection.
Pursuant to our data protection guidelines, we are under an obligation to correct, to delete or to block access to such data upon request.
Moreover, individuals sometimes ask the Arolsen Archives to remove specific historical documents from the online archive.
This is how we deal with such cases:
Dealing With Requests to Delete Person-Related Data
If a request to delete person-related data is received by the Arolsen Archives, the Data Protection Officer and the Data Protection Coordinator for the Tracing Department review the request and examine the record in the database.
If the request proves justified according to our data protection guidelines, the person-related data in question will be deleted from the database. The inquiry relating to the sought person will continue to be stored in the T/D file.
The person who submitted the request will be notified. If she does not agree with the decision, she may contact the Data Protection Board. After conclusion of the procedure, all email correspondence relating to the request will be deleted.
Dealing with Requests to Remove Documents from the Online Archive
The removal of documents and data from the online archive can be requested via the Contact Form or the e-mail address dataprotection@arolsen-archives.org.
If a person requests that documents and data no longer be searchable in our online archive, the request will be reviewed by the Data Protection Officer and archives staff. They will decide which documents, if any, will no longer be made available to the public in the online archive.
Individual documents relating to persons who are not seen as historical figures may be removed. Lists and compilations in list format may not be removed.
If the publication of specific documents is found to be unlawful, they will be removed from the online archive. Documents may also be blocked as a gesture of goodwill and then marked by a five-year non-disclosure notice. The technical implementation will follow ASAP.
The person who submitted the request will be notified. If she does not agree with the decision, she may contact the Data Protection Board of the Arolsen Archives.
Data Protection Incidents
Data protection incidents are rare. If such an incident comes to our notice involving person-related data being copied, stored, or deleted without authorization, we will, of course, fulfil our obligation to report the incident to the competent authorities.
Dealing with a Data Protection Incident
If there are indications of a data protection incident at the Arolsen Archives, we will begin by evaluating the nature and scope of the incident and then check whether person-related data are affected.
Simultaneously, immediate measures will be taken to contain the incident, and a detailed investigation will be carried out to determine the cause of the incident and to identify the data affected and the extent of the damage.
In a next step, a detailed report will be drawn up and forwarded to the competent supervisory authority (Data Protection Board and/or Hessian Data Protection Commissioner) within the prescribed period of 72 hours after discovery of the incident.
If the incident constitutes a high risk to the rights and freedoms of individuals, they will be notified and informed about the extent to which they are affected and how they can protect themselves.
The incident, all the measures taken, and the communication with both the supervisory authority and the persons concerned will be documented. To avert any future incidents, security measures will be improved and subsequently tested.