An important principle that companies must take into account when processing personal data is the principle of storage limitation. According to that principle you have the obligation to organise the “data lifecycle” of the personal data that you process and, more specifically, to set and monitor maximum retention periods for those personal data.
It is not always easy to determine exactly how long the personal data can be stored and many companies are struggling with this. How long can you store which personal data? How long is it “necessary” to store personal data? What should you take into account when setting retention periods? Can you always freely determine the storage periods?
In this article, we try to answer these questions on the basis of a practical guide from the French supervisory authority (the Commission Nationale de l’Informatique et des Libertés, or CNIL).
The data lifecycle, what is it?
Almost every company processes personal data. Data is collected, organised and stored, updated and further used, possibly forwarded and eventually deleted. The set of processing operations that personal data undergoes forms the life cycle of personal data.
In its practical guide, the CNIL divides this life cycle into three subsequent phases:
- The current use (“active basis”) of personal data: this stage concerns the current use of personal data by the various departments within the company responsible for processing them. In concrete terms, this means the collection of personal data and their daily use within the company. The personal data are accessible in the immediate working environment for the various stakeholders who have to work with the personal data.
- The interim archiving of personal data: the personal data are no longer actively used to achieve the recorded purposes (“closed files”), but are still of interest to the company because they can be useful later, for example in the context of possible future disputes or to comply with a legal obligation. The personal data may be consulted later than in an ad hoc and reasoned manner by specifically authorised persons.
- The final archiving of personal data: this concerns personal data that are archived without a time limit. It concerns processing carried out for the purpose of archiving in the public interest, scientific or historical research or statistical purposes. The CNIL notes that this last stage is mainly relevant for the public sector.
The CNIL emphasises the basic principle laid down in article 5 GDPR that personal data must be definitively deleted at the end of the intended processing, in other words: when the purpose for which your data was used has been achieved.
This does not mean that data should be systematically deleted everywhere and in all cases. Personal data can be used for various successive applications (and therefore purposes) and a different retention period may apply for each application and purpose.
For example, it is possible in certain cases to temporarily archive or anonymise personal data. In this respect, permanent anonymisation is on the same footing as deletion, since anonymised data are no longer personal data.
How do you determine appropriate retention periods?
The GDPR does not determine exactly how long personal data may be retained. In other words, the regulation does not provide a list of predetermined retention periods.
However, the CNIL does now provide some useful guidelines:
- Sometimes the law determines how long you may or must retain data (for example, the retention of certain accounting documents).
- There are also sector-specific guidelines from some supervisory authorities, such as the CNIL itself (see for example its “reference frameworks“, such as reference RS-001 “the management of health monitoring”).
- In some cases, references can also be found within the sector, for example in sector codes.
The CNIL offers an evaluation scheme to help companies determine retention periods. That scheme can be found here.
Some concrete examples
- How long can I retain (personal data in) the invoices from my accounts (bookkeeping)?
Each company has the obligation to keep its accounting documents for 7 years from the first day of the year following the closing of the financial year (Royal Decree of 21 October 2018).
Documents relating to construction and renovation – including invoices and contracts for (the sale of) real estate property, contractors and architects – are even subject to a retention period of 10 years.
This means that the retention period for personal data from accounting documents can be set at a minimum of 7 years, in some cases even 10 years.
- How long should/may I retain (personal data in) a CV or an employment contract?
A large number of social documents are subject to a mandatory retention period of 5 years (Royal Decree of 8 August 1980). The justification for the retention of personal data in these documents is therefore easy to find.
Furthermore, the purpose of processing the concrete personal data is of course important.
The Dutch supervisory authority, called the Autoriteit Persoonsgegevens, states that it is customary for an organisation to delete application data no later than 4 weeks after the end of the application procedure. However, the candidate may give his/her consent for the personal data to be stored for a longer period of time, for example because a suitable position for the candidate may be available at a later date. A maximum period of 1 year after the end of the application procedure is reasonable in the opinion of the Dutch supervisory authority.
For personal data in an employment contract, it is logical that the data should be kept for the period during which the employment contract is executed. The retention of such data after termination of the employment contract is perfectly possible, for instance on the basis of the above-mentioned mandatory retention period for a number of social documents (depending on the specific case).
- How long can I retain a customer’s contact details?
Also in this case the purpose of processing the concrete personal data is important.
When it comes to the data that is needed to execute an ongoing agreement, few questions arise. As long as the contract is in force (or more concretely, as long as certain obligations in the contract are executed or remain relevant – for example, guarantee provisions), personal data can be retained.
If the same personal data is also retained and used for another purpose (in addition to the execution of an agreement), such as for direct marketing purposes, then you can of course retain the data for a certain period after the termination of the agreement.
Finally, you can find another interesting example in this article “Retention periods under GDPR: Interesting decision by the Austrian supervisory authority“.
What if the personal data are also processed by your company’s partners (suppliers, subcontractors, etc.)?
Personal data that you, as the data controller, pass on to a data processor remains your responsibility. You must therefore ensure that the personal data is stored correctly and ultimately deleted by your partner (the data processor).
The obligations of the data processor have to be included in a data processing agreement and the data processor has to receive clear instructions, including on how to store the personal data in accordance with the specified retention periods.
Useful tips on the use of data processing agreement can be found in our article “data processing agreement with your website developer or hosting provider“.
Would you like to take further concrete steps towards GDPR compliance yourself?
Then be sure to take a look at our GDPR toolkit, which you can find here.