One of the fundamental principles of the GDPR is the limitation of data retention. Personal data should be collected for a specific period and cannot be kept indefinitely. This obligation adds to the data minimization requirement, whereby only the personal data necessary for the purpose in question should be collected. Data may only be collected if essential to a project or a particular processing operation. This means identifying the different retention periods and implementing an internal process to ensure they are respected. But how long can personal data be kept?
A period that does not exceed the objective set.
The maximum retention period for personal data depends on the purposes for which it is processed. Personal data must be kept for at most necessary purposes for which it is processed. A retention period must therefore be defined in advance for each data item appropriate to the purpose of the processing.
The data subject must be informed of this period. However, if this period cannot be defined at the time of collection, the criteria for determining it must at least be made available to the data subjects.
In the guidelines on transparency, the EDPB states that the information provided must enable the individual to assess the retention period, and the data controller cannot simply specify that the personal data will be retained for as long as necessary to achieve the purpose of the processing.
Once this period has elapsed, the data does not necessarily have to be deleted. Anonymization of data may be preferred if the data controller wishes to reuse it for other purposes, such as research. It is also possible to opt for data archiving in some instances.
There are, in fact, three phases in the data life cycle:
Retention in an active database for as long as is necessary to achieve the purpose for which the data was collected
Intermediate archiving is when the objective has been achieved, but the data is still helpful to the organization for administrative interests
Final archiving concerns rare cases such as processing carried out in the public interest for archiving purposes
The period depends mainly on the context
Determining the retention period depends on the reasons for which the data was collected.
Two cases can be distinguished. In some cases, the retention period is set by law. However, for many data processing operations, the retention period is not set by law and must be determined according to the purpose of the processing operation.
The data controller must define an appropriate retention period if no legal text stipulates a retention period. This choice must be proportionate, fit the purpose of the processing, and be justified. For example, when personal data is collected to organize an event, keeping it once it is over is no longer necessary. The data must then be deleted.
Data protection authorities provide guidelines to help organizations formalize these choices. It is, therefore, advisable to refer to them when defining your retention periods.