A common question we receive is “For how long can we store personal data?” The short answer is: “As long as you can motivate and justify your need of the personal data”. It is not possible to specify a specific time limit for all types of personal data, because the period under which it is relevant to process personal data depends on the specific processing activity, which we will go through in detail in this blog post. We have also included some tips to help you determine how long you are allowed to retain a specific type of personal data as well as several examples.
Published September 27th 2023
What is a ‘processing activity’?
The number one skill you have to learn under GDPR is how to classify and identify what a personal data processing or processing activity really is. This is important to know before getting into the details of the answer to this question. GDPR defines “processing” as everything you do with personal data – any action taken on personal data. It includes actions such as collection, recording, structuring, use, disclosure by transmission or otherwise making available, simply storing it, as well as erasure and destruction. In other words, the question “is it lawful to keep this data for X years” cannot be answered without first describing what you intend to do with the data (what processing activity/ies).
“Everything we do with personal data” is a wide definition and it includes both lawful and unlawful processing. To make it easier to fulfil the requirements of the GDPR we instead define a lawful processing activity as “actions/operations (what you do) that is performed for the same purpose (why you do it) and the same legal basis on a set of personal data”. You can read more about the legal bases here. An unlawful processing activity is outside the scope of this article, but put simply it is where you did not justify one or more actions with a specific purpose tied to a legal basis (collecing, storing, etc, without explaining why).
Name: Payroll process Personal data: Name, personal identification number, address, employee number, wage, benefits, sickness days, bank account number and time report. Purpose: To pay our employees the correct salary we need to know their wage, other benefits and match these to their time report. Legal basis: Agreement (Article 6(1)(b) GDPR) Retention: Until the correct pay has been calculated and delivered*
Name: Payroll process
Personal data: Name, personal identification number, address, employee number, wage, benefits, sickness days, bank account number and time report.
Purpose: To pay our employees the correct salary we need to know their wage, other benefits and match these to their time report.
Legal basis: Agreement (Article 6(1)(b) GDPR)
Retention: Until the correct pay has been calculated and delivered*
* Note! Some (sometimes all) personal data used for a specific purpose lives on within the organization, supported by another processing activity, provided you can find another specific purpose with a matching lawful basis (since, here, after the obligation to pay a salary in accordance with the employment contract has been fulfilled, contract is no longer a valid basis). One example of where some of this data lives on is as proof within the company book-keeping, based not on the contract but on a legal obligation (Article 6(1)(c) GDPR).
In short: When you have identified a set of personal data that is handled in your organisation for the same reason and based on the same legal basis – then you have defined a processing activity. This information will then be used to justify how long you can (and often indeed must) keep the personal data.
Legal basis and purpose
How long you are allowed to keep personal data is determined based on the purpose and the legal basis of the processing activity (“its lifespan”). So, it is essential to know the purpose and the legal basis in order to determine how long you are allowed to retain the personal data. It is a case-by-case assessment that consists of two different parts, which we will soon explain.
GDPR’s principle of storage limitation
The principle of storage limitation in Article 5(1)(e) of the GDPR states that you may only keep personal data for as long as it is necessary for the purpose for which the personal data are processed. It is therefore crucial that you can determine why you need the personal data (define processing activities). Typically, when the purpose of the personal data processing has been fulfilled it is no longer necessary to keep the personal data, and you should delete or anonymize it.
Same personal data – processed for different purposes
Okey, so we know we should not keep personal data longer than necessary. But it is a bit more complicated than that. Because the same personal data (name, employee number, salary statement) might be included in different processing activities. Which means that you have different purposes to keep the same information. That is totally reasonable and not uncommon. What’s important – is to distinguish these processing activities to determine the storage limitation for each processing activity.
Example: In some situations, you may have a legal obligation to continue retaining the personal data or a legitimate interest to do so to establish or defend a legal claim. This means that one personal data processing activity ends when its purpose is fulfilled but another personal data processing starts at the same time (or even earlier on). That “new” processing activity will then be a separate personal data processing with a new purpose and, usually, a different legal basis. This is important because each legal basis comes with its own limitations and obligations.
To conclude, the same personal data can be processed within your organisation in different processing activities at the same time and a new processing activity can begin when another one ends.
Note! There is a distinction between the processing period of a processing activity and the retention period for the personal data itself. A two-step assessment needs to be conducted.
The first step is based on the processing activity. When the conditions for a purpose or legal basis no longer exist, such as when a contract has expired or consent has been revoked, the processing should cease. Which means the personal data is no longer necessary to be kept – and shall therefore securely be destroyed. But…you also need to consider if all, or some, of the personal data is used in another processing activity…
In the next step, you should consider whether all or parts of the personal data in the processing activity that will end (based on decision in the first step) should continue to be processed for a different purpose & legal basis.
In summary: The fact that a data processing activity is ending does not always mean that the personal data should be erased. The personal data may be processed in a different processing activity with a different legal basis and purpose.
How to keep track of this?
Your records of processing activities! It is not rocket science. GDPR is a smart legislation that help you keep structure and efficiency in your business. The core of every GDPR-project is the records of processing activities (“ROPA”). The ROPA includes all necessary information to determine how long you can keep personal data.
We have developed a user friendly digital GDPR tool that helps your organisation fulfil several requirements of the GDPR, including the obligation of having a ROPA. Following an easy step by step method, with built-in help functions and video guidance – to get your GDPR documentation in place in no time. Our support staff (with legal degrees and experience) are more than happy to help you get going and to check your documentation along the way.
Examples of how long personal data can be kept
Information about employees’ food allergies: If the personal data regarding employee’s food allergies is processed based on consent as the legal basis, it is important to know that the data must be deleted if the employee withdraws their consent. The storage period is therefore not only influenced by the purpose of the processing but also by the individual’s wishes. The purpose could be to order catering to a company event and at the same time not hurting the employees. The data should be deleted when that is done, unless the data subject consents to you storing the information for future events.
Information about a former employee: When an employee leaves your organisation, it is not appropriate to delete all their personal data. There are certain legal requirements to consider and maybe also some interest within your business (so called legitimate interest) to store some personal information. Some personal data may need to be retained to comply with, for example, the Swedish national law called Employment Protection Act (LAS), or for future pension payments. There may also be a purpose in storing personal data needed to issue an employer certificate. It is important to ensure that only the personal data necessary for each continued processing is retained, and that the rest is deleted or anonymized.
Customer data (private individuals): If you store the data based on the agreement you have entered into with a customer, you have the opportunity to retain the data as long as the individual is a customer with you. Here too, certain legal obligations may become applicable and set certain time limits for continued processing. It may also be the case that you offer a customer warranty for a certain number of years, and for that reason, you need to retain customer data to verify purchases at a later date. Therefore, there is a purpose of retaining the data for the entire warranty period. However, it is important not to store more data than is necessary to fulfill the agreement.
Electronic driving logs: Electronic driving logs can be used to facilitate reporting to the Swedish Tax Agency (Skatteverket). These can be stored based on the legal obligation to file a tax report. The data collected in the driving logs must not be used for longer than necessary to fulfil the reporting obligation. The data must not be stored for purposes other than reporting to the Swedish Tax Agency if the specific legal obligation to file a tax report with the Swedish Tax Agency is used as legal basis.
Employee recruitment: Regarding recruitment, there may be value in storing application documents for two years after the decision to fill a position is made. The purpose of this is in Sweden that recruitment is covered by the national Discrimination Act, and the limitation period for bringing a claim is two years. For an employer to be able to defend against any claims that arise in connection with a recruitment process, it may be beneficial to retain the personal data needed to show that no discrimination occurred when filling the position.
It is important to note that the above applies to data controllers. If you are a data processor, it should be stated in your data processing agreement and its instructions how long you are allowed to process the data. Read more in our previous blog post about data processing agreements (hint: Controller and Processor allocations are also made per processing activity).
Sometimes you are not allowed to delete personal data because you have an obligation to retain it. Therefore, it is important to have an understanding of and assessment of the legal bases and purposes for your personal data processing, as it forms the basis for how long you are allowed or required to process personal data.
We hope you find this blog post helpful! If you have any questions regarding processing of personal data or any other GDPR-related matters, please feel free to contact us at +46 (0)46 – 273 17 17 or email@example.com.
GDPR Hero Record is a tool for documenting your personal data processing and your work with GDPR. Book a free demo of GDPR Hero today here.