Personal data are stored in a form that makes it impossible to identify the data subjects for longer than is necessary for the purposes for which the personal data are processed.
Organizations will have to take into account the wide range of rights enjoyed by data subjects in the framework of the GDPR and how this may affect their data retention considerations.
Therefore it is recommended to identify the categories of data subjects of the organization and to specify them according to the several processing purposes.
It is important that the controller should formulate a policy to:
- establish retention periods that apply to data processed for any different purpose;
- implement an appropriate retention policy;
- meet and monitor compliance with respect to the retention policy.
And such policies should at least answer the following questions:
- Which categories of stakeholders and personal data are covered by the principle of storage restriction?
- Who is responsible for those data categories?
- Who has specific obligations under the policy regarding storage restriction?
- In addition to data protection legislation, which other rules, codes or practices should be considered when formulating the storage restriction policy?
- When should data be stored legally and when should they be deleted?
When should certain data be exempted from the principle of storage restriction, e.g. in connection with a pending case in court?