Data retention refers to how long your organization stores personal data before deleting or anonymizing it. In the EU, this timeframe isn’t left to your company’s discretion.
Under the General Data Protection Regulation (GDPR), you can only keep this information for as long as is strictly needed to fulfil the purpose for which you originally collected it.
If your data processing purpose changes, you will need to provide data subjects with new notification of this — including new data retention periods — and obtain new consent for the new purpose.
To achieve GDPR compliance, you’ll need to understand these data retention requirements. However, a recent study by the European Data Protection Board (EDPB) found that many companies are storing private data for excessive or indefinite periods.
Our guide explains GDPR data retention requirements to help you achieve and maintain compliance with the privacy regulation. We also explore how storage limitation relates to other core GDPR principles — such as accuracy and data minimization — to show you how data retention fits into a broader compliance strategy.
Understanding the GDPR and its data retention requirements
Art. 5 GDPR is the main clause that governs data retention. It states that any organization that processes the personal data of EU residents must not store that data for longer than is strictly necessary. Personal data is defined in the GDPR as “any information relating to an identified or identifiable natural person.”
Recital 39 explains what this clause means for businesses in practical terms, stating that “time limits should be established by the controller for erasure or for a periodic review.”
In other words, you must create data retention guidelines that reflect how long you actually need to hold onto personal data to fulfil your initial reason for collecting it. After that time lapses, you must review and potentially erase whatever you or third parties working on your behalf (data processors) have stored.
Failing to comply with these requirements can lead to significant penalties. For example, the French Commission nationale de l’informatique et des libertés (CNIL) charged a remote clairvoyance service EUR 250,000 for storing customer details for up to six years after the commercial relationship ended.
Although the GDPR requires you to delete personal data once it’s fulfilled its original intended purpose, some industries may require you to retain records longer for archival purposes. For example, local healthcare sectors often have minimum storage periods, such as ten years in Germany and 20 years in France.
In these cases, your organization must follow industry requirements and delete the records once that mandatory period ends.
How long does the GDPR allow businesses to retain personal data?
The GDPR doesn’t state a fixed time limit for retaining personal data. Instead, your business must determine an appropriate retention period based on factors like your industry and what type of information is being stored.
For example, a bank might be required to store customers’ financial records for decades under local law. Conversely, an online store may only need to keep order history details like customer addresses and phone numbers for a few weeks until the window for exchanges and refunds has passed.
But data retention isn’t an isolated rule. When deciding how long to store data, your organization must consider other core principles of the GDPR, including:
- Data minimization: You must collect and retain the least amount of information required to support business operations. For example, you may only need to request your customers’ names and email addresses for newsletter signups, not their date of birth or physical address.
- Purpose limitation: You can only use and retain personal data for your original, stated purpose. If that purpose changes for whatever reason, you must obtain additional consent before any further processing.
- Accuracy: Organizations that process and store personal data must take reasonable steps to ensure it’s updated and accurate, such as verifying information with customers and checking for duplicate files. Erroneous data must be immediately erased or rectified.
Best practices for GDPR-compliant data retention
Understanding the GDPR’s data retention requirements is the first step towards compliance. Your organization must also find ways to apply them consistently without limiting your operations. Below, we’ve outlined some proven strategies you can implement to enable GDPR-compliant data retention.
1. Create, implement, and regularly review strict data retention guidelines
Usercentrics Senior Privacy Expert Tilman Harmeling recommends “establishing clear data retention policies for how long personal data is stored based on laws and processing purpose.”
This clarity helps ensure your entire team understands the requirements and applies them consistently.
“Companies should start by identifying the different types of personal data they collect and the legal basis for each type of processing,” says Harmeling.
Art. 6 GDPR outlines six lawful bases for processing personal information.
You must determine which one applies in each instance of data processing you undertake, and be prepared to justify it to data protection authorities (DPA).
- The data subject provides informed consent for data processing
- Processing is necessary for fulfilling a contract
- Processing is necessary for meeting legal obligations
- Processing is necessary for protecting someone’s vital interests
- Processing is necessary for carrying out a task in the public interest
- Processing is necessary for pursuing a legitimate business interest (except where overridden by the interests or fundamental rights and freedoms of the data subject)
Once you’ve organized your data, you should “clearly define retention periods based on processing purposes, regulatory requirements, contractual needs, and storage limitation principles,” Harmeling says.
For example, while you may need to retain client invoices for several years to meet tax regulation requirements, you might be required to delete other financial details like credit card information.
Harmeling also recommends that you “document policies so they’re clear for both employees and customers, and ensure they’re published prominently and updated regularly.” Clear, accessible policies reduce the risk of compliance gaps due to staff confusion or outdated practices.
2. Keep detailed records of user consent and data collection
Maintaining clear records of user consent helps you to determine how long to store data and establish a lawful basis for processing in the event of an audit or dispute.
As Harmeling says, “The GDPR requires businesses to ensure that customer data they store and process was obtained with explicit and informed consent.” In other words, if you haven’t obtained each user’s permission — or the data processing doesn’t fall under one of the other considerations listed above — you can’t justify collecting or retaining data for any period.
Consent management platforms (CMPs) like Usercentrics CMPs enable you to collect consent from website visitors, make it easy for them to update it any time, and maintain detailed consent records.
Our software automatically registers the date and time consent was given or updated, what each individual agreed to, and where they visited your site from to help you achieve compliance with data privacy regulations relevant to your operations.
3. Conduct frequent data audits
Regular audits give you a clear overview of what data your organization stores and when you collected it. This includes any data processed and stored by third parties. Under the GDPR, you’re liable as the data controller for any processing activities carried out by external service providers, like Google, Microsoft, or Salesforce.
This is why it’s critical — and legally required — to have comprehensive contracts in place before any data processing by third parties begins. Such contracts should cover what data and processing is to take place, security requirements, retention periods, and more.
Audits can also help you evaluate whether you still need data for its original purpose. If you see that certain files are no longer relevant or in use, you can and should delete them. For instance, you may find you need to erase all support tickets from customers who no longer do business with your company.
Beyond compliance motivations, audits reduce the amount of unnecessary data you retain. This creates fewer resource demands for your staff and storage systems while reducing the impact of potential breaches and security risks.
4. Automate data deletion with specialized tools
Manually deleting data can lead to errors, gaps, and compliance risks. Plus, the higher volume of visitors your site receives, the higher the risk of your team overlooking data and retaining it longer than you should.
Automating deletion can minimize the risk of noncompliant data retention. Software can categorize files and schedule them for erasure in compliance with the GDPR. They identify data at a granular level and give instructions to different systems to prevent expired data from going unnoticed.
Be aware that your organization can’t automate all data deletion, as users can ask you to erase their files at any point under Art. 17 GDPR, via a data subject access request, which provides the right to erasure, aka the right to be forgotten.
As Harmeling notes, “companies need to be able to respond to customer requests to exercise their rights, like data correction or deletion, in a timely manner.” Your business must have a standardized process to review, verify, and manually fulfil the request “without undue delay,” which is generally considered to be about a month.
5. Train employees on GDPR compliance
Data retention policies are most effective when staff understand why they’re important and how to apply them. Still, while awareness of the GDPR is increasing, research shows that up to 53 percent of people aren’t familiar with the regulation’s requirements.
Ongoing training sessions can help ensure every employee who handles personal information has the information they need to uphold GDPR compliance consistently. These sessions could focus on topics like:
- GDPR requirements and when and how they apply
- When local or industry-level regulations take higher precedence or need to be managed concurrently
- How to follow the company’s data retention policies
- Who’s responsible for tasks like data audits, data subject access requests, and deletion
- What potential compliance issues look like
- What security requirements are for user data in use and in storage
- The potential consequences of noncompliance
Training should aim to meet your team on their level. Begin by conducting a survey to gauge what employees already know about the GDPR, so you know how best to address misconceptions and knowledge gaps.
6. Document data retention processes for audit preparedness
Adhering to GDPR requirements isn’t enough on its own; companies must also be able to provide evidence of compliance. “To be prepared in case of an audit by data protection authorities, businesses should ensure they securely maintain updated and accessible records of their data collection and processing,” says Harmeling.
Proper documentation can help streamline the auditing process. “It’s important to be able to show what data has been collected and for what purpose, the relevant legal basis, what the retention periods are, and how data is disposed of,” Harmeling says.
Documentation that you should have available in case of an audit includes:
- Data retention policies
- Retention justification logs
- Data deletion or anonymization schedules
- Records of data deletion and anonymization
- Records of notification and updated consent (should processing purposes change)
- Records of responses to data subject access requests, e.g. for corrections or deletion
Your organization’s processes may also come under the scrutiny of EU authorities. Harmeling says, “businesses should be able to demonstrate restrictions for accessing data, ongoing training for employees, and measures to secure data in transit.”
Achieve compliance with the GDPR via responsible data handling processes
Data retention under the GDPR goes beyond deleting old records; it requires responsible handling throughout its lifecycle to respect individuals’ rights and keep personal information safe.
Usercentrics CMP helps you achieve GDPR compliance by facilitating user consent collection and maintaining a secure log of consent records. What’s more, our software automatically updates to reflect evolving GDPR and other requirements to help you stay compliant even as standards change.
In addition to supporting compliance with the GDPR and other data privacy laws, Usercentrics helps you provide transparency and build trust with your customers by demonstrating that you handle their data with care.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.