Key References:

  • Art. 5(1)(e)
  • UK ICO Guidance
  • CJEU Case: Digital Rights Ireland (Case C-293/12)

Art. 5

1. Personal data shall be:

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Data Retention

  • Pursuant to Art. 5 (c), (d) on data minimisation and accuracy principles, data should be processed and retained only until it is necessary.
  • The UK ICO advocates controllers and processors to have a Retention Policy which includes:
    • setting retention schedules,
    • periodically reviewing data, and
    • either erasing or anonymizing personal data.
  • The ICO states that while the GDPR does not dictate the time period for retention, controllers and processors must be able to justify data retention based on their purpose of processing.
  • Note:
    • Erasure is processing: pursuant to Art. 4(2), definition of processing, data storage, erasure, destruction are data processing. Therefore, processors that engage in data retention or erasure on behalf of controllers are required to comply with the GDPR.
    • Anonymous data is not subject to GDPR. See Recital 26.

Data Archiving

  • GDPR permits data retention for a limited number of purposes which include:
    • public interest archiving,
    • scientific or historical research, or
    • statistical purposes
  • Art. 89(1) states that data retained for the above purposes may be pseudonymised to ensure security.

Digital Rights Ireland v Minister for Communications, Marine and Natural Resources & Ors (Case C-293/12)

  • Digital Rights Ireland challenged the validity of Directive 2006/24/EC that required retention of metadata of electronic communications of EU citizens for law enforcement and national security purposes. It argued that the Directive violated Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
  • The CJEU ruled that the Data Retention Directive was invalid for failing to respect the right to private life and to the protection of personal data.