oSIST prEN ISO/IEC 27555:2026

SLOVENSKI STANDARD
01-julij-2026
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Smernice o
izbrisu identifikacijskih podatkov (ISO/IEC DIS 27555:2026)
Information security, cybersecurity and privacy protection - Guidelines on personally
identifiable information deletion (ISO/IEC DIS 27555:2026)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Leitlinien für die
Löschung personenbezogener Daten (ISO/IEC DIS 27555:2026)
Sécurité de l’information, cybersécurité et protection de la vie privée - Lignes directrices
relatives à la suppression des données à caractère personnel (ISO/IEC DIS 27555:2026)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27555
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC DIS 27555
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Guidelines on personally
2026-05-29
identifiable information deletion
Voting terminates on:
2026-08-21
Sécurité de l’information, cybersécurité et protection de la vie
privée — Lignes directrices relatives à la suppression des données
à caractère personnel
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2026
ISO/IEC DIS 27555:2026(en)
DRAFT
ISO/IEC DIS 27555:2026(en)
International
Standard
ISO/IEC DIS 27555
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Guidelines on personally
identifiable information deletion
Voting terminates on:
Sécurité de l’information, cybersécurité et protection de la vie
privée — Lignes directrices relatives à la suppression des données
à caractère personnel
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2026
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2026
ISO/IEC DIS 27555:2026(en)
© ISO/IEC 2026 – All rights reserved
ii
ISO/IEC DIS 27555:2026(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms. 3
5 Framework for deletion . 3
5.1 General .3
5.2 Constraints.4
5.3 Clusters of PII .4
5.4 Retention period and regular deletion period .5
5.4.1 Retention period .5
5.4.2 Regular deletion period .5
5.4.3 Allocation of clusters of PII .6
5.5 Archives and backup copies . .6
5.6 Standard deletion periods, starting points, deletion rules and deletion classes .7
5.7 Special situations .7
5.8 Documentation of policies and procedures .8
6 Clusters of PII . 8
6.1 General .8
6.2 Identification .10
6.3 Documentation .10
7 Specification of deletion periods .11
7.1 Standard and regular deletion periods .11
7.2 Regular deletion period specifications . 12
7.3 Standard deletion period identification . 12
7.4 Deletion period specifications for special situations . 13
7.4.1 General . 13
7.4.2 Modification of data objects . 13
7.4.3 Delayed deletion by allocation to another cluster of PII .14
7.4.4 Suspension of the deletion .14
7.4.5 Backup copies .14
8 Deletion classes .15
8.1 Abstract starting points — abstract deletion rules . 15
8.2 Matrix of deletion classes.16
8.3 Allocation of deletion classes and definition of deletion rules .17
9 Requirements for implementation . 17
9.1 General .17
9.2 Conditions for starting points outside IT systems . 20
9.3 Requirements for implementation for organization-wide aspects . 20
9.3.1 General . 20
9.3.2 Backup . 20
9.3.3 Logs .21
9.3.4 Transmission systems .21
9.3.5 Repair, dismantling and disposal of systems and components .21
9.3.6 Everyday business life . 22
9.4 Requirements for implementation for individual IT systems . 22
9.5 Deletion in regular manual processes . 23
9.6 Requirements for implementation for PII processor . 23
9.7 Control deletion in special cases . 23
9.7.1 Exception management . 23

© ISO/IEC 2026 – All rights reserved
iii
ISO/IEC DIS 27555:2026(en)
9.7.2 Further sets of PII .24
9.8 Handle individual requests for deletion or suspension of deletion . 25
10 Responsibilities . .25
10.1 General . 25
10.2 Documentation . 26
10.3 Implementation . . 26
Bibliography .27

© ISO/IEC 2026 – All rights reserved
iv
ISO/IEC DIS 27555:2026(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the
ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations
received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2026 – All rights reserved
v
ISO/IEC DIS 27555:2026(en)
Introduction
Many functional processes and IT applications use personally identifiable information (PII), which is
subject to various compliance provisions relating to privacy. Thus, organizations need to ensure that PII
is not retained for longer than is necessary and that it is deleted at the appropriate time. This can require
organizations to fulfil the rights of PII principals, such as the right to obtain erasure (to be forgotten).
ISO/IEC 29100 defines principles of “data minimization” and “use, retention and disclosure limitation” for
PII, which can be enforced using deletion as a security control.
PII deletion requires a set of carefully designed, clear and easily understood deletion rules, embodying
appropriate retention periods that satisfy the demands of multiple stakeholders. These rules should also
conform with requirements originating from codes of practice and other standards. Processes are to be
correctly implemented and appropriately operated. In order to ensure the legally compliant deletion of
PII, the PII controller needs to develop policies and procedures for deletion that include a set of rules and
responsibilities for the processes involved. The chances of success for the development and implementation
of these policies and processes can be improved if the PII controller uses a recognized approach to their
design and implementation.
This document provides a framework for developing and establishing policies and procedures for PII
deletion that can be implemented by an organization. This framework allows for consistent deletion of PII
throughout an organization including deletion or suspension of deletion on individual requests.

© ISO/IEC 2026 – All rights reserved
vi
DRAFT International Standard ISO/IEC DIS 27555:2026(en)
Information security, cybersecurity and privacy protection —
Guidelines on personally identifiable information deletion
1 Scope
This document contains guidelines for developing and establishing policies and procedures for deletion of
personally identifiable information (PII) in organizations by specifying:
— a harmonized terminology for PII deletion;
— an approach for defining deletion rules in an efficient way;
— a description of required documentation;
— a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII is stored or processed.
This document does not address:
— specific legal provision, as given by national law or specified in contracts;
— specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII;
— deletion mechanisms;
— reliability, security and suitability of deletion processes and mechanisms;
— specific techniques for de-identification of data.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
cluster of personally identifiable information
cluster of PII
personally identifiable information which is processed for a consistent functional purpose
Note 1 to entry: Clusters of PII are described independently of the technical representation of data objects. On a
regular basis, the clusters of PII also include PII which is not stored electronically.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
3.2
data object
element which contains personally identifiable information (PII)
Note 1 to entry: Examples of elements include files, documents, records or attributes. Concrete data objects include,
for example, invoices, contracts, personal files, visitor lists, personnel planning sheets, photos, voice recordings, user
accounts, log entries and consent documents.
Note 2 to entry: In the context of this document, data objects usually contain PII and can be combined with other data
objects in a cluster of PII (3.1). The individual data object can be of varying complexity.
3.3
deletion
process by which personally identifiable information (PII) is changed so that it is no longer present or
recognizable and usable and can only be reconstructed with excessive effort
Note 1 to entry: In this document the term deletion covers the following synonyms: disposition mechanism, erasure,
destruction, destruction of data storage media.
Note 2 to entry: For some details on implementation of processes and security of deletion mechanisms see 5.1 and end
of 9.1. Details on mechanisms and their security are provided in the literature; see the bibliography for references.
3.4
deletion class
combination of a standard deletion period (3.7) and an abstract starting point for the period run
Note 1 to entry: All clusters of personally identifiable information (PII) which are subject to the same deletion period
(3.6) and the same abstract starting point are combined in a deletion class. As opposed to the (specific) deletion rule
(3.5) for a cluster of PII (3.1), the (abstract) deletion class relates only to the abstract starting point and not to a specific
condition for the start of the period run (see also Clause 8).
3.5
deletion rule
combination of deletion period (3.6) and specific condition for the starting point of the period run
3.6
deletion period
time period after which a specific cluster of personally identifiable information (PII) (3.1) should be deleted
Note 1 to entry: As a generic term, the deletion period comprises all deletion periods. This includes the standard
deletion periods (3.7) and the regular deletion periods (3.8), which form special groups. However, the term also includes,
for instance, the specific deletion periods for some clusters of PII or deletion periods in special cases. For details, see
Clause 7.
Note 2 to entry: The deletion period for a cluster of PII extends beyond the end of the retention period (3.9), by at least
an amount commensurate with the time required to achieve deletion of the relevant data objects (3.2).
3.7
standard deletion period
unified deletion period for the personally identifiable information (PII) controller
Note 1 to entry: A standard deletion period is a deletion period (3.6) used for several clusters of PII (3.1) to standardize
several deletion periods lying close to one another (see 7.1).
3.8
regular deletion period
maximum time period after which the data objects (3.2) of a cluster of personally identifiable information (PII)
(3.1) should be deleted if used in regular processing in the processes of the PII controller
Note 1 to entry: For the boundary conditions of period specifications, see 5.4.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
3.9
retention period
time period within which the data objects (3.2) of the cluster of personally identifiable information (PII) (3.1)
are required to be available in the PII controller’s organization because of functional use or legal retention
obligations
Note 1 to entry: The data objects of a specific cluster of PII typically have the same retention period.
Note 2 to entry: For the boundary conditions of period specifications, see 5.4 and Clause 7.
3.10
legal retention period
time period within which the data objects (3.2) of a cluster of personally identifiable information (PII) (3.1) are
available in the PII controller’s organization as required by legal provisions
4 Symbols and abbreviated terms
CD compact disc
DVD digital versatile disc
IT information technology
PII personally identifiable information
PDF portable document format
SD secure digital
SSD solid state disk
USB universal serial bus
WORM write once read many (storage media type)
5 Framework for deletion
5.1 General
This document describes how an organization acting as PII controller can establish policies and procedures
for deletion of PII. For this, the PII controller should specify:
— which deletion rules apply to which PII;
— how the deletion is implemented using the deletion rules;
— how the deletion rules and the deletion processes are documented;
— who is responsible for the deletion rules, deletion processes and their documentation.
In this document the term deletion refers to the elimination of the bit patterns or comparable practices,
not simply marking or moving the data to be hidden. As a result, excessive effort for PII reconstruction is
required, considering all the means likely to be used, e.g. available state-of-the-art laboratory technology
(e.g. forensic tools, quantum computing), human and technical resources, costs and time.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
Depending on the storage technology, IT applications, and the purpose of deletion (e.g. reuse after
sanitization or disposal of storage media), various mechanisms for deletion can be used. Each mechanism
should be selected and used in such a way that the requirements for secure deletion are met.
NOTE The mechanisms for deletion can include overwriting, data carrier deletion commands, secure encryption
of content and secure deletion of the key material used, and physical destruction. For details on deletion mechanisms
and their security see in the bibliography for references.
To establish deletion policies and procedures, the following steps are recommended:
— select a minimum number of standard deletion periods which form the basis of deletion classes;
— base deletion classes on the standard deletion periods identified;
— use the processing purposes to determine which data objects are categorized in a cluster of PII and
allocate each cluster of PII to a deletion class;
— apply the deletion rules for the various data sets: implement deletion processes and document them in
requirements for implementations (see 9.).
The PII controller should implement deletion processes for each cluster of PII based on the established
policies and procedures (see 10.3).
5.2 Constraints
The PII controller should establish policies and procedures for deletion of PII which enable the organization
to demonstrate compliance with relevant legal, regulatory and other requirements. Where the organization
is performing the role of a PII processor, they should ensure deletion rules are implemented in accordance
with the relevant PII controller instructions.
Where compliance and/or contractual requirements state that PII should be deleted when it is no longer
required for the defined purpose, the principles contained in ISO/IEC 29100 should be considered when
designing the deletion processes:
a) use, retention and disclosure limitation;
b) data minimization.
EXAMPLE The deletion rule for the cluster of PII named “Accounting data” can be 10 years after the end of the
financial year in which the accounting entry was made in the balance sheet.
Compliance and/or contractual requirements can require special processes, particularly where clusters of
PII are retained only to fulfil retention obligations. In such cases, restricting the processing of the clusters of
PII concerned can be required.
5.3 Clusters of PII
Often several data objects are processed for the same or very similar purposes. In this case, they can be
deleted according to the same rule. In order to significantly reduce the number of deletion rules, the data
objects are grouped into the so-called clusters of PII.
Clusters of PII should be named individually and unambiguously and according to their functional purposes.
Each cluster of PII should be allocated one deletion rule (see 6.2).
EXAMPLE For a telecommunications provider, customer data, location data, traffic data, billing data and itemized
bill data are possible names of clusters of PII.
NOTE 1 Clusters of PII build logical containers to collect different data objects processed for the same purpose.
NOTE 2 The definition of a deletion rule for a cluster of PII and the data objects associated with it generally remain
stable until the purposes of processing or relevant law for processing change.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
NOTE 3 In some cases the allocation of data objects to clusters of PII can be changed because of modified purposes
of data objects. This changes their allocated deletion rules.
The same PII can be part of more than one cluster of PII because of two cases:
— different data objects can contain the same attributes;
NOTE 4 Some attributes, such as name or address, can occur in several data objects in the same or different clusters
of PII, e.g. in the customer master data, an invoice and a letter to the customer. Deletion is usually applied on the data
object as a whole (and not on single attributes within the data object).
— copies of a data object can be part of different clusters of PII.
EXAMPLE Assume an invoice documents materials and actions performed to repair an engine. Functional
processes can require that three copies of the document are stored in different clusters of PII: “bookkeeping data”
(deleted 11 years after payment), “engine documentation file” to document the history and parts of the engine (deleted
5 years after destruction of the engine) and “supplier file” to document the history of the relationship and operations
with the supplier (deleted 15 years after receiving the data object).
PII should not be deleted upon individual case decisions only, but in accordance with appropriate deletion
rules wherever possible. Therefore, the PII controller should develop deletion rules in accordance with their
deletion policy. Every deletion rule should include a definition of the deletion period and when the deletion
period begins (starting point).
5.4 Retention period and regular deletion period
5.4.1 Retention period
The period of time for which a cluster of PII is retained, based on its functional purposes (which can include
retention period complying with business requirements as well as legal and statutory obligations), is its
retention period. This time period includes the time period in which a cluster of PII is actively used in
functional processes, in accordance with compliance and/or contractual purposes and in accordance with
the organization's long-term storage requirements.
EXAMPLE The legal retention obligations for clusters of PII include, for example, the provisions of tax laws for
trade letters and accounting documents. Functional purposes include, for example, guarantee commitments and
potential equipment recall actions.
5.4.2 Regular deletion period
Clusters of PII should not be deleted until the end of their defined retention period, unless specific approvals
have been obtained.
Legal obligations can allow for time flexibility to perform deletion after the retention period has been
reached. This flexibility can be used to apply a deletion process which can take into account the availability
of technical solutions as well as the general organizational requirements. The combination of the retention
period and the maximum time period for the deletion process is defined as the regular deletion period. The
PII controller should estimate the maximum time period that is acceptable for the deletion process.
Each deletion rule should be applied by deleting data objects within a cluster of PII in all systems and all
storage places. This should include the deletion of data objects stored in physical documents. Also included
is the deletion of clusters of PII processed by PII processors contracted by the PII controller.
Figure 1 shows an example of how to derive a regular deletion period based on the life cycle of an order.
The retention period and regular deletion period for the order starts with the formation of the contract.
The active use of the contract ends with the receipt of payment. After that, the contract is still retained for
possible warranty cases and as a trade letter.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
Figure 1 — Example of regular deletion period for an order
NOTE In the example in Figure 1, the retention period for the order is shorter than the regular deletion period.
Depending on which cluster of PII is involved and its defined deletion period, the retention period and the regular
deletion period sometimes have nearly the same duration. The section 'acceptable delay for deletion' before the last
time of deletion stands for the period of time that is permissible for the design of the deletion process according to the
relevant legislation.
In the example, the invoice and the booking of the payment received are categorized as separate clusters of PII and,
therefore, have different deletion rules.
5.4.3 Allocation of clusters of PII
The allocation of clusters of PII to specific standard deletion periods should be based on compliance and/
or contractual requirements in alignment with business needs. The number of standard deletion periods
should be as low as possible and should be the minimum required in order to meet these requirements and
business needs. For further information on standard deletion periods, see 7.1.
The PII controller should consider relevant legal, regulatory and/or contractual business requirements
giving specific deletion provisions when defining regular deletion periods. These provisions can also include
guidelines for the design of the deletion processes.
EXAMPLE In the area of telecommunications, the retention of traffic data required for calculating usage charges
is sometimes limited by law.
Further guidance for the allocation of regular deletion periods to clusters of PII can be found in Clause 7 and
8.3.
5.5 Archives and backup copies
Archives serve the purpose of keeping data available for extended periods of time. Data are transferred
into archives when they are no longer expected to be actively used but are still required to be retained for
permissible reasons. An archive can contain different clusters of PII with different deletion periods. The
relevant compliance and/or contractual requirements can require usage limitation for archived data.

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
The primary purpose of backup copies is the recovery of IT systems. Backup copies should not be used as
archives.
The organization should clearly distinguish between backup copies and archives. PII contained in archives
should be subject to the same deletion rules of the respective clusters of PII and these rules should be
implemented in the archives concerned.
It is often impractical (or even impossible) to delete individual data objects within a backup copy, as it would
contradict the purpose of a backup. To fulfil their purpose, backup copies are required to be available for
only short periods of time. Using short deletion periods for the backup copies is a means of conforming with
the deletion provisions.
For the deletion of backup copies, individual time periods should be specified in the backup strategy (see
9.3). These time periods should be in acceptable proportion to the regular deletion periods of the various
clusters of PII contained in the specific copy (see 7.4).
During recovery of a system, PII which has exceeded the regular deletion period can be restored. Therefore,
restore processes should consider this possibility and describe how to delete such restored PII (see 9.1 and
9.4).
5.6 Standard deletion periods, starting points, deletion rules and deletion classes
Before deletion rules can be defined for individual clusters of PII, considerable effort can be required for
analysis. It is appropriate to involve the person responsible for privacy matters within the organization in
the assessment of the standard deletion periods, starting points, deletion rules and deletion classes.
The PII controller should define and use standard deletion periods.
The starting points for the deletion periods can also be grouped (see 8.1).
EXAMPLE 1 One such abstract starting point is the “collection of the data”; another is the “end of procedure”.
The combination of a standard deletion period and an abstract starting point forms a deletion class (see
Clause 8). Clusters of PII should be assigned to the appropriate deletion class.
EXAMPLE 2 Assume that the deletion rule "12 years after settlement of a receivable" is defined with the cluster of
PII "Accounting data". This results in a deletion class "12 years after end of procedure". When searching for a suitable
deletion rule for another cluster of PII "contracts", you could decide that the contracts should be assigned to the same
deletion class. In this example, the deletion rule for "Contracts" could result in "12 years after the end of the contract".
5.7 Special situations
In some situations, deleting PII in accordance with the general deletion rules can be unfeasible for an
organization. These situations include:
— deletion of PII which was collected without proper legal permission;
— deletion of PII after a legally founded request for deletion by the PII principal;
— deletion of PII which is likely necessary for a claim or an anticipated or ongoing legal case.
NOTE 1 In some jurisdictions requirements grant the PII principal a right to have their PII deleted if certain
prerequisites are met. For some clusters of PII, not all such requests need to be partially or fully executed, for example
because of overriding retention requirements.
For these and similar special situations, deletion processes should also be determined. These can be
specified in the context of the processes and responsibilities for deletion of PII (see 9.7, 9.8 and Clause 10).
Individual PII can only be deleted if the technical systems have a suitable function for deletion. Therefore, the
PII controller should ensure that such a function is required in system procurement or system development
processes if PII principals can require the deletion on a case-by-case basis. On the other hand, there is

© ISO/IEC 2026 – All rights reserved
ISO/IEC DIS 27555:2026(en)
nothing to prevent the use of available standard functions for rare individual cases of such deletions, e.g.
SQL instructions in databases.
NOTE 2 Under certain conditions, the PII controller has the option not to delete PII but to restrict the processing of
that PII.
5.8 Documentation of policies and procedures
Policies and procedures for PII deletion should be documented. These documents should include advice from
different entities within the organization, such as the person in charge in privacy matters, functional users,
developers and administrators.
Policies and procedures can be integrated into existing documentation.
The deletion rules should be described without reference to the technology used for storage, control and
deletion.
EXAMPLE 1 Bookkeeping data include invoices, receipts and bank transactions. To be independent from technical
aspects, it is irrelevant on which media such data objects are stored (e.g. paper, hard disk, SSD, WORM media including
glass-based long-term storage media, USB stick or microfiche), in which location they are stored (e.g. locally on a
laptop, in a central IT system database, using a storage area network, cloud storage service or paper file folders in an
archive room) or which format is used (e.g. PDF, database record, text file). The same applies to a set of videos or audio
tracks: it is irrelevant whether they are stored e.g. in legacy formats, on physical media like USB drives or in the cloud.
Technology-related requirements for implementation should be specified separately (see Clause 9 for further
information). Deletion rules should also be applied to manual processes such as data handled by individuals,
e.g. using paper-based documents or files in IT systems.
EXAMPLE 2 A job application is received on paper and stored in a file until the application process is performed.
The application is to be deleted following the appropriate deletion rule after a decision to hire or not to hire has been
made. As the application documents are managed manually, deletion is carried out in a manual process.
In other cases, PII in files is stored manually in the file system, e.g. invoices for special verification or handling. Handling
of such files can be regulated by documented work instructions, including the need to delete the files manually.
6 Clusters of PII
6.1 General
Sets of PII should be categorized according to their functional purposes as clusters of PII. Different purposes
and, thus, different clusters of PII can result, in particular, if:
— the legal basis for the PII collection differs;
— the relevant legal requirements contain different provisions for the use of PII;
— PII relates to different PII principals;
— the same PII is used by different functional units for different purposes and therefore different rules for
deletion are applied in each case;
NOTE 1 Different clusters of PII can thus be used to define different regu
...