Data retention period

Learn what shelf life is.

Definition of retention periods

Retention periods are one of the fundamental principles of personal data protection.

The principle of limited retention periods enshrines the right of individuals to be forgotten.

An obligation resulting from Article 5 of the GDPR:

  • Identifiable form

    • Personal data may be retained in a directly or indirectly identifying form indefinitely by organizations within certain limits.

  • Necessary for the purposes

    • Data must be processed for a limited period of time, in a manner consistent with the objective pursued (i.e. the purpose).

A requirement for documentation in the record provided for in Article 30 of the GDPR:

An obligation to provide information to data subjects under Articles 13 and 14 of the GDPR:

It is thus necessary to determine :

  • A fixed retention period, according to the life cycle of the data.

  • An objective criterion used to determine this duration.

The data life cycle

The data life cycle can be broken down into three stages:

The French CNIL guide on retention periods (in French) provides clarification on the documentation to be provided on retention periods:

  • The record in which the processing activities and the related retention periods must appear;

  • A reference document centralizing, for example in the form of a table, the duration of the different phases of the data's life for each processing operation (the SIAF's recommendations can be included, if necessary, in the structure's internal archive management tables);

  • The different actions undertaken, including if these actions are still in progress;

  • The written instructions given to the subcontractor regarding time limits;

  • The possible procedures for archiving data, and in particular in the case of compulsory payment for the definitive archiving of public records (payment slip, etc.);

  • The procedure for the destruction of data, if applicable (e.g.: disposal slip, etc.);

  • Authorization management policy and authorization matrix for archiving, etc.

With Dastra, enter the different life cycles of the data and adapt the retention periods to each dataset created.

How to determine them?

By applying the data protection principle from the outset:

  • Define precisely the purpose, i.e. what the personal data will be used for;

  • The different life cycles of this data, the applicable time periods, and the data concerned;

  • Identify the people who will need to process the data during current use, and those in case of intermediate storage;

  • Ensure traceability of access to archived data;

  • Provide for an automatic and selective data purge procedure (for public records, this purge is subject to the authorization of the person responsible for scientific and technical control);

  • If an anonymization process is contemplated, ensure that the data will not allow the data subjects to be "re-identified" at the end of the process.

Where to find the references? (in France)

  • Rely on legal or regulatory provisions

  • The deliberations of the CNIL

  • For public archives, the recommendations of the Archives de France

  • Sector-specific references

If no text or standard provides solutions, it's necessary to determine the duration best suited to the purpose of the processing in accordance with the principle of responsibility.

Who is involved?

  • The department in charge of implementing the processing (which may be a subcontractor) will provide all the elements needed to understand its needs and, thus, to determine the period of current use of the data concerned;

  • The Data Protection Officer (DPO) is the privileged interlocutor when he/she has been appointed; he/she is in charge of ensuring the compliance of the processing implemented within the structure, as well as of advising the data controller;

  • The organization's internal archive, if any, can provide insight into data retention practices for the treatment in question (data life cycle management, etc.);

  • An advisor, whether internal to the structure (e.g. a company's legal department), or external (e.g. a lawyer, a digital services company, etc.). The latter can, in particular, help to target the possible applicable legislative or regulatory provisions;

  • The professional federation to which the data controller belongs can provide support to its network in determining retention periods.

In the public sector (for public structures and for private organizations responsible for a public service mission), the contacts to be favored are the territorially competent departmental archives service (for decentralized services and local authorities and their groupings), or the archives mission of the ministry in charge (for central administration services). These contacts can inform the organization about the obligations that apply to it, and guide it in their implementation (determination of the time limit and final disposition).

How to control?

The practical implementation of retention periods must be checked regularly. Regular audits are therefore necessary. The DPO has the task of controlling the processing operations including the retention periods.

Dastra's Audit feature is ideal for this:

For more information

Last updated