Published on 17 June 2022 (Updated 29 February 2024)
Personal data must not be kept longer than necessary for the purpose for which it was collected by the company, under the RGPD.
Definitions and explanations.
Once that purpose is served, you must delete or archive the personal data by anonymizing it.
Archiving or deleting data is recent, and many people are still not informed about it. It requires a “data retention policy,” which must be communicated to the CNIL in case of control.
Once the authorized archiving period has expired, it will also be necessary to be able to demonstrate the effective deletion of data in accordance with this policy.
The company must then determine a retention period for the data collected. Sometimes a law requires a specific period. When this is not the case, the duration depends on the nature of the data and the objectives pursued.
The different types of data
1 – Sensitive data
As defined in article 9 of the GDPR, this data correspond to the processing of personal data revealing ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of identifying a natural person as an individual. Moreover, data concerning health, sex life or sexual orientation of a natural person are prohibited.
2 – Non sensitive data
Non-sensitive data are all other data that can be collected, such as name, surname, date of birth, sex, etc.
How long should personal data be kept?
1 – The principle of limiting the retention period
There is a general principle set out in Article 5 of the GDPR, which requires each data controller to determine a consistent and justified retention period for personal data in relation to the purpose of the processing. Therefore, an organization cannot keep personal data indefinitely, except in certain limited and specific cases where the retention is strictly necessary.
The different phases of the data life cycle
The life cycle of a piece of data can be broken down into three successive phases:
- The current use of “active base”: This includes principally personal data collected by the services in charge of the implementation of their processing. The data is accessible in the immediate work environment by all those in charge of handling current affairs.
- Intermediate storage: In this phase, personal data is no longer used to meet the purpose for which it was collected but is still of administrative interest to the organization, or must be retained to meet a legal obligation. In this case, the data can be consulted from time to time by specifically authorized persons.
- Final archiving: Here the data is archived for an unlimited period of time. This phase concerns only the processes implemented for archival purposes within the public interest. It essentially involves the public sector subject to the provisions of Book II of the French Heritage Code.
3 – Some examples
FIXED DURATION
- 1 month: Retention period of video surveillance images;
- 5 years: Retention period of copie of payslips from the date of their delivery to the employee;
- 10 years: Retention period of data contained in medical files starting from the consolidation of the damage.
DURATION LINKED TO THE OBJECTIVE TO BE ACHIEVED
- until the liquidation of retirement rights: retention period of certain data contained in the personnel management files of a company;
- until the end of a commercial relationship: (i.e., after a purchase, the expiration of a guarantee, the end of a service contract, the last contact from a customer);
- until the end of the legal deadlines: to establish the proof of a right or of a contract, or kept as part of the respect of a legal obligation which can be archived following the provisions in force (in particular those envisaged by the commercial code, the civil code and the code of consumption).
What happens next?
At the end of the retention period defined to serve a specific purpose, known as the “active base,” personal data must be deleted, anonymized, or archived.
Some temporary archiving may be necessary to meet certain warranty obligations or legal claims. This period can be described as an “intermediate data archiving phase.” In addition, this data must be kept separate from the data in the active database.
Certain data types must never be deleted, especially if they are of public, historical, scientific or statistical interest, such as data regarding civil status. They are, therefore, subject to “permanent archiving,” which is strictly regulated by law.
That’s it! You now know everything about data retention.
