For how long is data about you stored?
Personal data may not be kept longer than necessary for the purpose for which it was obtained, i.e. there is a storage restriction. This period over which personal data is stored is also referred to as a retention period.
There are statutory storage periods that an organisation must comply with, such as a period of seven years for the financial accounting for tax authorities. However, some retention periods are not embedded in a law.
The GDPR itself does not specify any specific retention periods. An organisation must decide for itself how long personal data is necessary for the purpose for which the organisation has collected it.
After the retention period is ended, the organisation must delete the data. The organisation may keep the data for longer if the it’s intended for scientific, historical or statistical purposes, provided that the rights and freedoms of those involved are protected.