Retention of personal data
In order to keep proper records, organisations have to retain certain personal data for a period of time. But retaining personal data longer than necessary is not permitted. The General Data Protection Regulation (GDPR) does not contain a concrete retention period for personal data. Organisations decide for themselves how long they retain personal data. There are concrete retention periods in other laws that organisations have to comply with, though. For example: in tax laws.
On this page
Determining retention periods
The basic principle is that you are not allowed to retain personal data longer than necessary. What is necessary depends on the situation. That is why you have to determine for yourself what is appropriate in your situation. Unfortunately, there is no formula for determining retention periods. However, the answers to the following questions may help you:
- Are there statutory retention periods that you have to comply with? For example, based on tax laws or the Public Records Act? Or are legal proceedings still pending? Then you also have to retain the personal data.
- How long do you need the data for the purpose for which you process the data? Also look at your company policy when answering this question. You may, for example, still need certain data for monitoring outstanding invoices.
- The basic principle of the law is that you retain personal data for the shortest possible period. Can you shorten the retention period?
Tip: Are you affiliated with a sector organisation? Then this association may have more information about which retention periods are common in your branch of industry. This can be found, for example, in a code of conduct.
Recording retention periods
Record the retention periods and your substantiation (why did you opt for a specific retention period?) For example: in your privacy policy. Then you can account for your retention period when the Dutch Data Protection Authority (Dutch DPA) enquires after them. The Dutch DPA assesses whether your substantiation is reasonable, among other things. And whether you actually keep the retention period as short as possible, given the purpose of processing.
Also include the retention periods in your privacy statement. To ensure that the people whose data you process know how long you retain their data. Do people feel that you retain their data for too long? Then they can ask you to remove the data. This is because they have the right to removal of data if you no longer need the data. Or if the statutory retention period has expired. People can also submit a complaint about you to the Dutch DPA if you do not remove their data in time.
Archiving personal data
The government is obliged to retain certain information permanently. This can be found in the Public Records Act. This information often contains personal data. That is why organisations also have to deal with the GDPR when archiving data. Read more: Archiving by the government.
Destroying personal data
Check the personal data that you process at regular intervals. Has the retention period of personal data expired? Or are the data no longer necessary? Then you have to destroy the data. You can also anonymise the data.
When destroying personal data, you have to exercise due care. This means that you must pay proper attention to the way you destroy the data. Especially if it concerns sensitive data, such as medical data. For digitally stored data, for example, systems have been developed that destroy data automatically at a predefined time.