Retention Period

The specific duration for which an organization stores personal data before deletion or anonymization, determined by business needs, legal requirements, and data minimization principles. Under GDPR Article 5(1)(e), data should be kept only as long as necessary for the purposes for which it was collected. Organizations must establish retention schedules considering: legal obligations (tax records, employment files), limitation periods for legal claims, business operational needs, and consent scope. Different data types may have different retention periods—financial records might be kept for seven years, while marketing data might be deleted when consent is withdrawn. Privacy policies should specify retention periods or criteria for determining them. Organizations should implement automated deletion processes where practical, regularly review retention schedules, and maintain documentation justifying retention decisions. When retention periods expire, data should be securely deleted or anonymized. Exceptions include archiving for public interest, scientific research, or statistical purposes with appropriate safeguards.