TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to draft a GDPR-compliant retention policy Related reading: Territorial scope of the GDPR from a US perspective



Data minimization, storage limitation, records of processing activities and requirements for providing information and access to personal data under the EU General Data Protection Regulation all have one thing in common: You need to be able to clearly define the period for which personal data will be stored or, if not possible, criteria to determine that period.

Most organizations implementing the GDPR consider retention policies or retention rules necessary to achieve this. At first it seems a daunting task, but by considering the goals and GDPR requirements you can reach some reasonable level of granularity that is still operational and possible to implement.

Records of processing activities

It's very important to find a right balance between being very general and vague (like saying we will keep the data for as long as needed), and having a very detailed system by system and set by set description. The latter might still be useful as a product of your policy or a report available at specific point of time but not as a retention policy.

In order to find out how much detail is enough you should consider the requirements for the records of processing activities.

As specified in Article 30 of the GDPR, such records need to include purposes of the processing; descriptions of data subjects and categories of personal data; as well as recipients and, where possible, the envisaged time limits for erasure of the different categories of data.

Considering that the information to be provided to the data subjects includes the period for which the personal data will be stored — or, if that is not possible, the criteria used to determine that period— it makes sense to provide such information as part of the envisaged time limits for erasure. This way you will stay consistent and avoid confusion resulting from different descriptions of your retention/erasure practices.

As it seems then, records of processing activities encourage you to group data by type of individuals, data categories and relevant purposes, and it is prudent to relate retention times to such processing activities.

What processing activities are is not defined by the GDPR, only processing as such is broadly described in Article 4, so using the most clear and relevant name or description would be a reasonable way to go. Using such names will definitely make your life easier.    

Legal basis

Defining legal basis for different processing activities is not, strictly speaking, required for the records of processing activities, but it is obvious that organizations need to be aware of the relevant legal basis for such activities and document it in accordance with the principle of accountability. In addition to that, legal basis needs to be communicated to the data subjects as part of the information obligations (Articles 13 and 14 of the GDPR).

In practice, legal basis is so tightly linked with the purposes of processing that in many privacy notices the purpose and legal basis become one, e.g. by explaining that the data will be processed for the performance of a contract or for compliance with specific legal obligations.

Legal basis is also crucial for specifying retention times, and in some cases such retention times would be readily available (like in case of processing the data for compliance with tax regulations or the like).

This means that grouping data into types used for the same purposes should be done as per relevant legal basis. Even though it will not result in many instances in having just one specific retention time (as it will vary by jurisdictions and even for different types of situations), such retention times will be possible to be efficiently establish — or at least by reference to the specific legal basis — criteria for how long data will be stored can be provided.

It is important to remember that the data processed based on consent should in general not be kept when the consent is withdrawn (unless another valid legal basis has been established and communicated to the data subjects), and the data necessary for the performance of a contract may not be retained indefinitely by saying that there might occur some legal claims if such claims aren't clearly defined and don't yet exist but are purely hypothetical.

As explained in the Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, performance of contract does not apply to actions triggered by non-compliance or to all other incidents in the execution of a contract, but only covers the normal execution of a contract.

Standard periods for ancillary data sets

Obviously the data used in a business environment are not simply grouped into separate, static data sets, but take many forms and shapes. Linking all possible data to an individual data subjects' profiles would in fact go somewhat against the very principles of the GDPR as it would result in creating very detailed and oftentimes completely unnecessary information about data subjects. There are also some technical and organizational constraints that will make it hard to achieve, and many systems may not be linked together or should not be linked for security reasons.  

Establishing retention times for such types of data is not only a must-have in terms of risk and data minimization but will also greatly facilitate your life in case of subject-access requests.

By implementing reasonably short retention periods, you will have a unique chance to streamline your processing activities so that in a relatively expeditious manner it will be clear what data must be archived or added to individual’s profile and how such data is relevant to your business. This is also a chance to automate deletion process which will greatly reduce costs and work factor.

Specific examples of retention times for processing activities 

Even though establishing and implementing retention rules will never be easy, and the bigger and more complex the organisation is, the more difficult it gets, there are ways to simplify this task, at least to the point of meeting the basic GDPR requirements.

As with all other GDPR compliance obligations, it makes sense to treat all documents, such as policies, notices, records of processing activities, assessments, etc. as closely related with each other and fuel them with consistent rules and information, rather than using completely different descriptions e.g. when it comes to retention.  

Specific examples of retention times for different processing activities based on the above, could include storing:

  • Customer financial and tax data for the purpose of compliance with tax regulations for the period specified by tax laws (the list of such laws and relevant provisions should be available).
  • Newsletter subscribers' information, only until consent is withdrawn by using an "unsubscribe" functionality.
  • Employee files and records for as long as required by relevant employment and social security and social protection laws (the list of such laws and relevant provisions should be available).
  • Direct-marketing customer data for a specifically defined period, e.g. 2 years, unless the customer objects/opts-out sooner or actively opts-in for the data to be used for a longer, defined period.
  • Consumers' contract, service, or delivery data for as long as the contract is in force or services or products are provided, and for a specifically defined additional period if the consumer registers for product support or such data are kept by the consumer in his or her user profile (even then it is recommended to establish some predefined retention period upon which the data will be automatically deleted).
  • Processing data necessary for the establishment, exercise or defense of legal claims, only if such claims can be clearly articulated and defined and until such claims are finally resolved or expire under relevant laws (the general periods under relevant laws, e.g. 10 years, for raising possible claims are by no means sufficient ground to keep all data for such period if there are no specific grounds to identify existing claims. In such cases organizations should conduct legal analysis, considering that some of the information may be retained anyway e.g. for compliance with tax regulations).
  • Health records of hospital patients for the period defined by national laws (the list of such laws and relevant provisions should be available). 

photo credit: pennstatenews via photopin

1 Comment

If you want to comment on this post, you need to login.

  • comment Maryanne Siek • Sep 14, 2018
    Most companies of significant size and global reach have a records retention schedule already in place. Your first stop should always be your Legal Department to find out if such a schedule exists. If so, assuming it's accurate and up to date, you're halfway there. The schedule will almost certainly require some tweaking to address GDPR, but it will tell you all the kinds of records your organization creates and manages, along with the legal requirements for retaining them. It may also document operational requirements and assign departmental ownership for each record type.