+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact us14. Retention Period
Personal data must not be stored indefinitely – the retention period must be established according to the purpose of the processing. When the purpose is achieved, data should either be archived, deleted, or anonymized (e.g., to prepare statistics).
Cycle for Data Retention
Retention of personal data can be divided into three successive phases:
- The active database;
- Intermediate archiving;
- Final archiving or deletion.
Mechanisms for deleting personal data from the active database must ensure that data is only stored and accessible to operational services for as long as necessary to achieve the purpose of the processing.
Make sure that data is not simply marked as archived while still stored in the active database. Archived data (intermediate archive) should only be accessible to a specific entity responsible for accessing and removing them from the archive if necessary.
Also ensure that access rules have been established for the archived data, as the use of the archive should be limited to specific and exceptional cases.
If possible, use the same method for data purging or anonymization as used to handle the right to deletion (see the sheet on exercising rights), to ensure uniform operation of your system.
Examples of Retention Periods
Data regarding payroll administration or working time control can be retained for 5 years.
Data in a medical record must be retained for 20 years.
Data about a potential customer who does not respond to any inquiries can be retained for 3 years.
Log data can be retained for 6 months.