GDPR – Privacy Policy and Data Retention

GDPR Data Retention rules state that personal data should never be retained longer than strictly necessary to accomplish the set business purpose. This is of course a good thing to ensure everyone’s privacy as data that is deleted can no longer be (mis)used, exposed, hacked etc.

So in your privacy policy you should specify a data retention period against each of the processing activities, taking into account the nature of the processing, its business purpose and your legal obligations including any legal action. Some examples:

  • Legislation in most EU member countries states that bookkeeping documents (e.g. invoices) should be kept for a period of 7 years. So the retention period here is 7 years or longer if any legal action is pending.
  • After interviewing job candidates one should remove the personal data of those applicants that are not being retained, unless you gather consent from the applicant to remain on file for a specific period in order to be considered for a future position.
  • When terminating a contract with an employee, the data should only be retained for as long as the local labour law prescribes and any potential legal action is pending.

Also note that GDPR requires appropriate access control to be in place at all times. When a personal data file would no longer be relevant for the day-to-day e.g. an employee has left the company, the file should be archived and the access control should change so that less people have access as that is appropriate with its new relevance to the firm. For more information on data security, check our our knowledge base on the topic.