Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Paragraph  1.3.7  On termination of the processing activities, the processor must, at the choice of the controller, delete or return all the personal data to the controller and delete existing copies (Art. 28 (3) (g) GDPR).

136. The contractual terms are meant to ensure that the personal data are subject to appropriate protection after the end of the “provision of services related to the processing”: it is therefore up to the controller to decide what the processor should do with regard to the personal data.

137. The controller can decide at the beginning whether personal data shall be deleted or returned by specifying it in the contract, through a written communication to be timely sent to the processor. The contract or other legal act should reflect the possibility for the data controller to change the choice made before the end of the provision of services related to the processing. The contract should specify the process for providing such instructions.

138.  If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner, also in order to comply with Article 32 GDPR. The processor should confirm to the controller that the deletion has been completed within an agreed timescale and in an agreed manner.

139. The processor must delete all existing copies of the data, unless EU or  Member State law requires further storage. If the processor or controller is aware of any such legal requirement, it should inform the other party as soon as possible.