Back to EoL360
ESEN
EoL360
Plane 2 · Universal core

Data protection

Regulation (EU) 2016/679 · LOPDGDD

Retired IT assets contain media holding personal data. Asset-level certified sanitisation, recorded and centralised in EoL360, constitutes individualised evidentiary support before the AEPD.

Obligations applicable at end of life

The data controller must adopt technical measures appropriate to the risk (art. 32 GDPR) and be able to demonstrate compliance (art. 5.2, accountability). In the IT asset’s end-of-life cycle, this requirement translates into certified media sanitisation and individualised documentary evidence.

GDPR · Art. 5.1.f
Integrity and confidentiality: data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
GDPR · Art. 5.2
Accountability: the controller must be able to demonstrate compliance with the principles. Without documentary evidence, conformity cannot be attested.
GDPR · Art. 24
General obligation of the controller to implement appropriate technical and organisational measures, and to review and update them where necessary.
GDPR · Art. 28
Processor: where an external partner operates on assets holding personal data, the operation must be governed by a data-processing agreement, with documented instructions and measures appropriate to the risk.
GDPR · Art. 32
Security of processing: technical measures appropriate to the risk, including pseudonymisation, encryption, and the ability to ensure confidentiality and integrity. Certified media sanitisation fits as a direct technical measure.
GDPR · Art. 83.4
Up to €10,000,000 or 2% of total worldwide annual turnover. Applicable to art. 32 infringements. Where art. 5 principles are breached, art. 83.5 applies: up to €20,000,000 or 4%.

Characteristic end-of-life risk

The most frequent scenario in refresh programmes: equipment retired without certified wiping before leaving the corporate perimeter, or wiped but without per-asset individualised certification. Non-observance of art. 32 is available as an applicable offence and opens exposure under art. 83.4.

Sanitisation does not replace the contract

Where ZirquloApp, S.L. or its partners operate on assets that may contain personal data, the operation must, where applicable, be governed by the corresponding data-processing agreement (art. 28 GDPR). Certified sanitisation is a technical measure within that contractual framework, not a substitute for it.

How EoL360 covers it

Certified sanitisation
Secure per-asset individualised wiping, compliant with recognised standards. Each operation is recorded in the platform with the media identifier, method applied, operator and outcome.
Evidentiary support
Individualised wiping certificates, recoverable asset by asset and aggregable at batch or fiscal-year level. Material directly presentable to the AEPD on request.
Data-processing agreement
Documentary framework to formalise the data-processing agreement between client and operator, with documented instructions and an operation log. Where the operator is the client’s external partner, formalisation is arranged between that partner and the client under their contractual relationship.
Accountability
Structured documentary evidence sustaining the art. 5.2 principle. The ability to demonstrate is as important as the technical measure itself.

To document is to protect

Turn sanitisation into individualised, asset-by-asset evidence.

Talk to an expert