#6 – Storage limitation

Hello there, I’m Anna! In the previous post, Albin explained the meaning of the principle of purpose limitation, which requires that every processing activity should have a specified, explicit and legitimate purpose – and that you don’t process personal data for a new purpose that is incompatible with the previous one. In this post, we will look further into another principle that is linked to the one of purpose limitation – namely the principle of storage limitation. Let’s get to business!

This principle entails that you, as a controller, are required to justify how long you store the personal data, which depends on your chosen purpose. It’s important to remember that you are not allowed to keep the data for a longer time than necessary for the purpose you previously decided you need the data for. To help you draw the line in terms of time, there are in practice two different forms of limits that you could choose. Either a set period in days, months or years – or, when this isn’t possible, a criterion or set of criteria that define for how long you plan to keep the data. The chosen criteria should be understandable and predictable to the data subjects.

In addition to this, there are a few other obligations to pay careful attention to. Remember, you should periodically review the chosen time periods to consider if they are limited to what’s necessary for your purpose. To ensure compliance with the principle, you also need to have a data retention policy or schedule in place, including all personal data kept, the specific purpose(s), and the retention periods for each personal data category. The policy could also include who’s responsible for each personal data category so that it’s a living document that works in practice; i.e., HR for the personal data relating to employment or CFO for the personal data relating to financial reporting. Furthermore, you need to enforce the policy or schedule properly.

When it’s no longer necessary for your purpose to keep the data, you can delete or anonymise it. The personal data must be factually deleted from your systems and records according to what has been decided. If you want to further educate yourself about storage limitations, we recommend that you look into the EDBP Guidelines and the ICO Guidelines in terms of the UK GDPR.

Understandably, this is a lot of information to take in. But don’t worry, DPOrganizer is here to help! You can register time limits (retention times) in our tool for each processing activity and data subject category. DPOrganizer’s Professional Services team can help you determine retention times and create a data retention policy for your organisation.
Now that you’ve learned more about the principle of storage limitation, in the next post we are going to dig deeper into another principle related to the purpose of your processing – the principle of data minimisation. Bye for now!