Obligations regarding the storage and deletion of personal data
About the allowed retention period of information under data protection laws
As a general rule, the controller must not keep data containing personal data for longer than necessary.
The controller should set deadlines for deletion of personal data or for regular review.
When assessing whether the data is necessary to be preserved, it is necessary to consider what is the purpose of the preservation.
When that purpose is no longer available, the data is no longer necessary to be preserved and the data should be deleted.
Example
The retention of information on the personal identification number of an individual is considered necessary in order to ensure the safe identification of the individual in a particular business relationship.
When that business relationship is similar, the preservation can no longer be considered necessary for that specific purpose.
Personal data that are unreliable or incomplete, in relation to the purpose of their processing, shall be deleted or corrected without delay.
Data protection may also issue instructions for data destruction and this may result in administrative fines if such instructions are not complied with.
Authorization to keep information for longer
Personal data shall generally be stored in such a form that it is not possible to identify the data subject for longer than is necessary in relation to the purpose of the processing.
However, personal data may be stored for longer periods if the purpose of the retention is only:
for archiving in the public interest,
for research in the field of science or history
or if it is for statistical purposes and that appropriate security is ensured.
