GDPR – Data Retention and Privacy Policy

GDPR Data Retention rules state that personal data should never be retained longer than strictly necessary to accomplish the set business purpose. This is of course a good thing to ensure everyone’s privacy as data that is deleted can no longer be (mis)used, exposed, hacked etc.

So in your privacy policy you should specify a data retention period against each of the processing activities, taking into account the nature of the processing, its business purpose and your legal obligations including any legal action. Some examples:

  • Legislation in most EU member countries states that bookkeeping documents (e.g. invoices) should be kept for a period of 7 years. So the retention period here is 7 years or longer if any legal action is pending.
  • After interviewing job candidates one should remove the personal data of those applicants that are not being retained, unless you gather consent from the applicant to remain on file for a specific period in order to be considered for a future position.
  • When terminating a contract with an employee, the data should only be retained for as long as the local labour law prescribes and any potential legal action is pending.

You should make sure your firm has the right processes in place to ensure the personal data of its customers is removed or anonymised periodically. If your systems allow for automated removal of end-of-life data (e.g. log files that are automatically deleted after 6 weeks) be sure to leverage those capabilities. If no such automation is available to you, you should implement a manual process, taking into account the below:

  • Periodically assess which prospect or customer entities have been inactive for long enough that the data should be removed from your systems
  • If your system has no built-in delete function you should contact the software vendor. If no delete function is available to you, you should proceed to anonymise all personal data which forms part of those end-of-life entities e.g. people’s name, address, phone numbers, communications etc.

Also note that GDPR requires appropriate access control to be in place at all times. When a personal data file would no longer be relevant for the day-to-day e.g. an employee has left the company, the file should be archived and the access control should change so that less people have access as that is appropriate with its new relevance to the firm.


Wondering if your privacy policy is GDPR Compliant? We encourage you to perform a quick and free GDPR compliance scan of your privacy policy, simply paste in the link to your privacy policy web page here in our Privacy Policy Checker, and see where you stand with GDPR compliance efforts.

GDPR Compliance software for the SME – GDPRWise App

Get access to our GDPR compliance software. GDPR requirements have been simplified and reduced to their essence for you. In a single click, the GDPRWise App can generate your privacy policy and GDPR register, based on the sector specific content we provide in your online GDPRWise dossier. Our software solution holds listings of the processing activities that touch on personal data in a great many industries.