GDPR Data Retention – How Long Can You Store Personal Data

One of the most frequently asked questions in GDPR compliance is deceptively simple: how long can we keep personal data? The answer is equally simple in principle — only as long as necessary for the purpose for which it was collected. In practice, however, this principle is one of the most commonly ignored areas of compliance.

Data accumulates. Systems fill up. Nobody makes the decision to delete. And when a supervisory authority asks why personal data collected three years ago is still being processed, “we haven’t got around to deleting it” is not a sufficient answer.

What does the storage limitation principle require

The storage limitation principle is set out in Article 5(1)(e) GDPR. It requires that personal data is kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the data is processed.

Once the purpose has been fulfilled, personal data should be:

• erased — permanently and irreversibly deleted,
• anonymised — in a way that makes re-identification impossible,
• archived — where a legal obligation requires it.

Defining a retention period in a policy is not enough. The controller must ensure that data is actually deleted when the period expires — and must be able to demonstrate this.

What determines how long personal data can be kept

There is no single retention period that applies across all personal data. The appropriate period depends on three factors:

Purpose of processing — data collected to fulfil a contract can be kept for the duration of the contract and through the limitation period for claims arising from it. Data collected on the basis of consent must be deleted when the consent is withdrawn and no other legal basis applies.

Sector-specific legal requirements — many jurisdictions impose minimum retention periods for specific types of records. Tax and accounting records, employment documentation and health records are all subject to statutory retention obligations that override the general GDPR minimisation principle. Data must be retained for at least as long as the law requires.

Limitation periods for legal claims — even after a business relationship ends, a controller may retain personal data for the duration of the applicable limitation period for civil claims, to enable it to defend or pursue legal proceedings.

Indicative retention periods by data category

Retention periods vary by jurisdiction and sector. The following are indicative — controllers must verify the applicable rules in their own country and sector.

Employee records — employment contracts, payroll records and related HR documentation are typically subject to statutory retention periods of between 5 and 10 years after employment ends, depending on national law. In some jurisdictions, certain records must be kept for up to 50 years.

Financial and accounting records — invoices, payment records and tax documentation are typically retained for 5 to 7 years, as required by tax legislation.

Customer data — contract fulfilment — data processed to perform a contract should be retained for the duration of the contract and through the applicable limitation period for civil claims (typically 3 to 6 years depending on jurisdiction).

Marketing and newsletter data — retained until consent is withdrawn. After withdrawal, the data should be deleted promptly.

Job applicant data — where the applicant is not hired, data should generally be deleted after the recruitment process concludes. Where consent is obtained for future recruitment, a defined period (typically up to 12 months) may be used.

CCTV / video surveillance — typically between 30 and 90 days, unless the footage constitutes evidence in a formal proceeding.

Website analytics cookies — typically 13 to 26 months, depending on the tool and its configuration.

How to implement data retention in practice

Defining retention periods is only the first step. Effective retention management requires:

Linking retention periods to processing activities. Every entry in the record of processing activities should specify the retention period for the data involved. Without this link, retention periods exist only in theory.

Defining the start of the retention period. The clock may start from different points depending on the category of data — the date of collection, the end of a contract, the end of employment, the withdrawal of consent, or the end of the tax year. This must be clearly specified for each category.

Assigning responsibility for erasure. Someone must be responsible for reviewing and deleting data when the period expires. Without clear ownership, nothing gets deleted.

Documenting erasures. The accountability principle requires that the controller can demonstrate compliance. A record of when data was deleted, by whom and on what basis is essential evidence during a supervisory authority inspection.

Covering all systems. Data deleted from the primary system may still exist in email inboxes, shared drives, backup copies or at third-party processors. Retention must be managed consistently across all locations.

Most common mistakes in data retention

No defined retention periods. Data is kept indefinitely because nobody has decided how long it should be stored. “Indefinitely” is not a valid retention period under GDPR.

Retention periods defined but not enforced. The policy exists but data is never actually deleted. Defining a period without a process to enforce it provides no compliance value.

Deletion from one system only. Data is erased from the CRM but remains in email archives, backup copies and third-party systems. Fulfilment must be comprehensive.

No documentation of erasures. The controller cannot demonstrate when data was deleted or on what basis. This breaches the accountability principle.

Backup data overlooked. Backup copies are frequently omitted from retention planning. Where immediate deletion from backups is not technically feasible, the controller should restrict processing of that data until the backup is rotated.

Data retention in iGDPR

iGDPR includes a dedicated retention management module that enables retention periods to be assigned directly to processing activities in the record, generates notifications when review or deletion deadlines are approaching, and allows erasure actions to be documented with supporting evidence — such as a signed deletion confirmation. The system provides a complete audit trail of retention actions, making it straightforward to demonstrate compliance during a supervisory authority inspection.

Summary

GDPR data retention is not a document — it is a process. Defining retention periods is only the beginning. The controller must ensure that data is actually deleted when those periods expire, that deletions are documented, and that the process covers every system and location where the data is held.

Key principles:

• personal data may only be kept as long as necessary for the purpose of processing,
• retention periods must be defined for every category of data in the record of processing activities,
• the start of the retention period must be clearly specified,
• deletions must be documented to demonstrate accountability,
• retention must cover all systems — including backups and third-party processors.

Frequently asked questions about GDPR data retention