§ 28 NDSG
Erasure of personal data and restriction of processing
(1)1The controller shall erase personal data without undue delay where
(2)their processing is unlawful,
(3)their knowledge is no longer necessary for the performance of his or her tasks, or
(4)they must be erased to comply with a legal obligation.
(5)2In the cases of sentence 1 number 2, transfer to the competent archive shall take the place of erasure.
(6)1Instead of erasing the personal data, the controller may restrict their processing where
(7)there are grounds to believe that erasure would prejudice the legitimate interests of a data subject,
(8)the data must be retained for evidentiary purposes in official or judicial proceedings serving the purposes of § 23, or
(9)erasure is not possible or would be possible only with disproportionate effort due to the particular manner of storage.
(10)2Data whose processing has been restricted pursuant to sentence 1 may only be processed for the purpose which precluded their erasure, or otherwise with the consent of the data subject.
(11)In the case of automated data processing systems, it shall be ensured by technical means that a restriction of processing is clearly identifiable and that processing for other purposes is not possible without further review.
(12)Without prejudice to the maximum storage or erasure periods laid down by legal provisions, the controller shall provide appropriate time limits for the erasure of personal data or for a regular review of the need for their storage and shall ensure by procedural safeguards that those time limits are observed.