How long is your personal data being stored?
It's about time
Personal data may not be stored longer than necessary for the purpose for which it was obtained in the first place.
This means there is a storage restriction. The period over which personal data is stored is also referred to as a ‘retention period’.
There are statutory storage periods that an organisation must comply with, such as a period of seven years for the financial accounting for tax authorities. However, some retention periods are not defined by law.
The GDPR itself does not specify specific retention periods. An organisation must determine how what amount of period the personal data is needed to meet the purpose of which the the data was collected. After the retention period has ended, the organisation is obliged to delete the data.
The organisation may keep the data for longer when the data is intended for scientific, historical or statistical purposes, provided that the rights and freedoms of those involved are protected.