Most, if not all organisations need to retain records of information (which may or may not include personal data). These could be for a variety of purposes which could include accounting, internal operations, legal obligations, employee administration etc. These purposes must determine how long the information should be kept by the organisation. Good governance requires any organisation to determine its policy on retention and to produce and maintain a schedule of retention.
Through its principle of ‘storage limitation’ the GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes.
‘Storage limitation’ must be considered together with the provision commonly called “the right to be forgotten”. The GDPR (Article 17) states that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. And it provides the scenarios where this right applies.
What does this mean for personal data that you hold?
you must consider the purpose or purposes for which you hold personal data
decide on the length of time that you should retain it
securely delete any personal data that is no longer needed; and
update, archive or securely delete personal data that has gone out of date
Why is this important?
It is possible that discarding that data too soon could disadvantage your organisation as well as inconvenience your data subjects. However, keeping personal data for longer than is necessary may cause the following problems.
Increase in the likelihood of administrative fines
There is an increased risk that the data will go out of date and that outdated information will be used in error – to the detriment of all concerned.
As time passes it becomes more difficult to ensure that the data is accurate.
The unnecessary data increases the burden of data security, the provision of access to data subjects and the management of any breaches.
You need to consider the further risks associated with personal data that is being processed by your processors and any that may be shared with other controllers.
How long should you hold on to personal data?
In the GDPR definition, 'storage' of personal data is recognised as a way of 'processing'. Time periods could range from five minutes to five years and beyond. It all depends on the reasons/purpose you collected the personal data in the first place. Also, there may be a purpose associated with that original purpose which requires you to hold on to the data for longer. And do you still have the legal bases for those purposes? It pays to regularly revisit Articles 5, 6 and 17.
Consider, for example that a bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank – original purpose. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons – associated purpose.
Personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used in the future. For example, a controller should not retain personal data for the sole purpose of being able to react to potential data subject access requests. Or a company’s marketing department holding on to ‘customers’ personal data even though they have long since done business with the company.
By way of example, a tracing agency holds personal data about a debtor so that it can find that individual on behalf of a creditor. Once it has found the individual and reported to the creditor, there may be no need to retain the information about the debtor – it should be removed from the agency’s systems unless there are good reasons for keeping it. Such reasons could include the agency having also been asked to collect the debt, or because the agency is authorised to use the information to trace debtors on behalf of other creditors.
Other possible ‘associated reasons’ for retention include, for example, various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. For example, a regulatory body may determine that credit reference agencies are permitted to keep consumer credit data for 'x' number of years.
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards - in particular, data minimisation - and in particular by ensuring that the data will not be used to support measures or decisions regarding any particular individuals. Those safeguards may include pseudonymisation. In some cases, Union or Member State law may provide for derogations from certain data subject’s rights.
‘Statistical purposes’ in particular, cover a wide range of processing activities, from commercial purposes (e.g. analytical tools of websites or big data applications aimed at market research) to public interests (e.g. statistical information produced from data collected by hospitals to determine the number of people injured as a result of road accidents.
Processing for ‘historical purposes' can also have specific characteristics and this may require a different set of safeguards. Member States often have specific laws governing access to national archives, archives on recent history of particular interest (such as archives evidencing oppressive regimes), and court files kept by the judiciary.
As regards ‘scientific’ purposes', there may also be a need to access different kinds of data. Some research may require raw microdata, which are only partially anonymised or pseudonymised. In some cases, the research purposes involved can only be fulfilled if the pseudonymisation is reversible
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018