GDPR Principle 5: Storage Limitation

What is the fifth of the seven data processing principles outlined in GDPR?

The fifth principle of data processing is the storage limitation.

Based on the principle of storage limitation, companies must not keep personal data for longer than it is needed, be able to justify why they are storing personal data and have a data retention policy to erase or anonymize the data.

GDPR text on data storage limitation

Article 5 of GDPR provides that personal data shall be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”

What is data storage limitation?

Based on this fifth data processing principle in GDPR, companies must not hold on to personal data for longer than it is necessary for the purpose for which the personal data was processed.

Data storage is the process by which companies hold on to personal data after it was collected for a particular purpose.

In some cases, data may be collected and the processing purpose will be achieved immediately upon collection.

In other cases, personal data may be collected and the processing of that data will take place over a period of time.

For example, if you buy a product from a company online, you may give your personal information to process the transaction.

Once the purchase is made, you will have no future dealings with the company and so the company will not need to process your data anymore.

In another scenario, if you enter into a contract with a company and you have agreed to mutual obligations to be rendered during the course of the next two years, personal data may be collected and processed during this period.

For how long can a company store personal data?

GDPR does not define a specific timeframe or period for storing personal data.

Organizations must assess their collection, storage and processing activities to determine what should be the appropriate data retention period for their data.

The data retention period may be different depending on the category of data or based on specific data characteristics.

GDPR states that the data should not be stored for longer than it is necessary to achieve its purpose.

In other words, when the purpose had been achieved, personal data should be erased or anonymized.

What should be done with the data once the purpose of processing is achieved?

Personal data should be kept until it is necessary to keep it.

As such, personal data should not be kept for a long time as it may not be necessary or likely to have a justifiable legal purpose.

The longer you hold personal data, the more likely it is that you will not be able to justify the legal purpose for holding the data and expose yourself to additional risk of a security breach.

Companies must evaluate the appropriate timeline to keep and store personal data so they can achieve their purpose and prevent risk of harm to data subjects.

In the event of a regulatory audit or individual query, companies must be able to justify their personal data storage practices.

Is it mandatory to have a data retention policy?

The data retention policy will generally fit within the context of your company’s documentation requirement obligation.

Article 30 of GDPR requires that companies hold records of their processing activities.

Such records must be made available to data protection authorities upon request.

By maintaining a data retention policy, organizations can demonstrate they have taken diligent and necessary steps to comply with their storage limitation obligations.

Companies can define different storage periods per category of information and show that once the retention period has been completed, the data is deleted or anonymized.

In some cases, smaller organizations performing low-risk data processing may not need to document their data retention policy although it’s a good practice to have one.

How to define the right retention period for data storage?

Just like with most of the other GDPR principles, there are no set rules to follow or a specific timeline to respect when considering your storage limitation obligation.

Companies must evaluate the storage of personal data based on their unique business needs and purpose of collection.

If you want to know how to define the right retention period for data storage, you’ll need to consider the following points:

  • You should not store data longer than necessary after its stated purpose is achieved
  • You may want to keep a record of your relationship with the data subject even after the relationship ends 
  • What information may be relevant to keep in case of legal action or claim against your organization
  • What other legal or regulatory obligations you may have to keep the data such as data retention under tax laws, securities laws or other specific statutes
  • What industry standard or professional guidelines you must observe in keeping data

What should be done once the data retention period is over?

Once your data retention period is over, you must either delete the data or anonymize it.

In other words, personal data should no longer be processed or stored in any way and must definitively be out of use.

In some cases, instead of deleting the data, some companies may decide to archive the data thinking that it’s safer than deleting data.

Archiving data is still considered to be data processing and storage.

As a result, if you archive the data, you must make sure that you have a justifiable purpose for archiving.

If not, you can be considered to have kept data beyond the appropriate time after you had achieved the processing purpose.

Although there may not be a consensus on what does deleting data actually means, deleting that after the retention period is over is to effectively render the data unusable, inaccessible and removed from any processing activities.

Even though deleting data may still leave traces, provided that the personal data is out of reach and processing, the obligations under the storage limitation principle will be met.

For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?