How long can data be retained under GDPR?

The General Data Protection Regulation (GDPR) is a regulation that governs data protection and privacy in the European Union. It aims to give individuals more control over their personal data and impose strict rules on organizations that process and store personal data. One key aspect of GDPR is the principles relating to storage limitation and data minimization. This means organizations are not allowed to retain personal data for longer than is necessary. But how long is that exactly? The answer depends on the purpose for processing the data.

Storage limitation principle

Article 5(1)(e) of the GDPR sets out the storage limitation principle. It states that personal data must be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”

In essence, this means personal data should not be retained indefinitely. Organizations need to establish appropriate time limits for erasure or periodic review of data. Data must be deleted once it is no longer needed for its specified purpose.

However, GDPR does not prescribe any specific or minimum retention periods. It will depend on the circumstances and the reasons for processing. Organizations need to set their own retention schedules and be able to justify the retention periods based on the purpose.

Some key factors to consider when setting retention periods include:

  • The categories of personal data processed
  • Why the data is being processed and used
  • How long the data remains relevant for these purposes
  • Legal or regulatory requirements that mandate retention

Data minimization

Closely linked to storage limitation is the principle of data minimization under Article 5(1)(c) of GDPR. This states that data processed should be:

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

Organizations should identify the minimum amount of personal data needed for their processing activities. Data not meeting this necessity threshold should be removed.

Combined, these two principles encourage organizations to regularly review datasets and delete irrelevant or excessive personal data. Retention should be for the shortest time possible.

Right to erasure

GDPR also contains a right to erasure or ‘right to be forgotten’ under Article 17. This entitles individuals to request deletion of their personal data when:

  • It is no longer needed for the purposes collected
  • The lawful basis for processing no longer applies
  • Deletion is required to comply with legal obligations
  • Unlawful processing has occurred

This complements the storage limitation principle. Organizations need to erase data once retention is no longer justified. They also must be ready to delete personal data if an individual exercises their right to erasure where the grounds are met.

Permitted retention periods

While no universal retention periods are prescribed, GDPR does permit organizations to retain data in certain circumstances. Some examples include:

Retention for legal claims

Personal data can be kept for the period within which litigation or regulatory proceedings could arise in relation to the data processing.

Archiving for public interest

Personal data can also be archived for longer periods if the archiving is in the public interest. This must comply with Article 89(1) and include safeguards such as pseudonymization.

Research and statistics

Article 5(1)(e) makes an exception to retention limits if personal data is being used for scientific or historical research purposes or statistical purposes. Appropriate safeguards must be in place.

To comply with legal obligations

If a statutory retention period applies under EU or Member State laws, personal data can be stored in line with those obligations.

Establishing retention schedules

To comply with the GDPR’s storage limitation and data minimization principles, organizations should:

  • Conduct an audit of personal data held
  • Classify data by category and purpose of processing
  • Determine appropriate retention periods based on purpose, legal obligations, contractual necessity and other legitimate interests
  • Document retention schedules clearly setting out retention justifications
  • Implement systems for managing retention and data deletion
  • Review retention periods regularly and update if necessary

Different retention rules can apply depending on the data category. Some common examples include:

Customer data

Customer data should be kept while an individual is actively using a company’s services and for a period afterwards in case of returns or inquiries. Specific contractual terms may dictate retention. Data no longer needed for customer service should be deleted.

Employee data

Employment laws often specify minimum retention periods for employee records and pensions data. Otherwise data should be deleted when no longer relevant for the employment relationship.

Financial data

Accounting and tax regulations require financial records to be kept for 6-10 years usually. Erasing should then occur.

Marketing data

Data used for marketing communications is only needed while the individual actively engages with the brand. Individuals have a right to withdraw consent at any time too. Reviewing subscriptions and database information regularly is required.

Anonymization

Rather than delete personal data entirely, GDPR does allow for anonymization as an alternative. This involves processing the data to irreversibly remove any identifying characteristics of individuals. It is then no longer considered personal data, allowing longer retention.

However, anonymization must be done effectively to avoid re-identification risks. Organizations should irreversibly alter the data and remove indirect identifiers to achieve true anonymization compliant with GDPR.

Data deletion

When retention periods expire, organizations must actually delete or anonymize the personal data. GDPR requires deletion to be done in a secure manner:

  • Hard copy documents should be cross-cut shredded, incinerated or pulped
  • All electronic copies removed from databases, systems and applications and overwritten
  • Ensure permanent erasure from online webpages, marketing systems and archived backups

Doing a simple ‘soft’ delete by marking data as deleted is not sufficient. Records need to be purged from all repositories and systems. Companies should document policies and procedures for secure data disposal.

Conclusion

GDPR requires organizations to set defined retention limits based on the purpose for processing personal data. Data minimization means keeping only the data needed for the specified purposes and erasing any excess records. While no fixed retention schedules are mandated, companies need to determine justifiable retention periods and implement technologies and policies to enforce these limits and dispose of data when no longer required. Setting shorter retention times and disposing of data once it has served its function is the best way to align storage practices with GDPR principles. With proper retention schedules and deletion protocols, organizations can better manage data protection risks.