Storage Limitation

A fundamental data protection principle under GDPR Article 5(1)(e) requiring that personal data be kept in a form permitting identification of data subjects for no longer than necessary for processing purposes. This principle mandates establishing retention periods based on legitimate business needs, legal obligations, and processing purposes. When retention purposes expire, data must be deleted or anonymized. Organizations should: define retention schedules for different data categories, document justifications for retention periods, implement automated deletion processes where feasible, regularly review retained data, consider archiving versus active storage distinctions, and maintain records of deletion activities. Exceptions allow longer retention for archiving in public interest, scientific/historical research, or statistical purposes with appropriate safeguards. Storage limitation connects with data minimization—organizations shouldn't collect data they'll immediately delete or retain indefinitely data they no longer need. Privacy policies should specify retention periods or criteria, and organizations should honor data subject deletion requests unless exceptions apply.