A GDPR data retention policy is not optional. Art. 5(1)(e) GDPR requires that personal data be kept no longer than necessary for the purposes for which it was collected. Yet in enforcement practice, the absence of a documented retention policy is one of the most frequently cited violations. The CNIL alone issued fines in 14 separate decisions in 2024 where inadequate retention documentation was an aggravating factor. This guide covers what a compliant retention policy must contain, how to structure retention periods, and what enforcement authorities actually look for.
Key Takeaways
- Art. 5(1)(e) GDPR mandates that personal data must not be kept longer than necessary – controllers must define and document specific retention periods.
- A GDPR data retention policy must cover every processing activity, link each to a defined retention period, and specify the legal basis for that period.
- There is no single EU-wide retention period; periods depend on the purpose, applicable sector legislation, and national law.
- DPAs treat the absence of a documented retention policy as a standalone violation, not merely an aggravating factor.
What Art. 5(1)(e) GDPR Requires
The storage limitation principle under Art. 5(1)(e) GDPR states that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” This principle works in tandem with Art. 5(2) GDPR, which requires controllers to demonstrate compliance – meaning a retention policy must be documented, not just understood internally.
Art. 13(2)(a) and Art. 14(2)(a) GDPR further require that data subjects be informed of retention periods or the criteria used to determine them. If you cannot state your retention period in your GDPR privacy policy, you likely do not have one.
The EDPB Guidelines 04/2019 on Art. 25 (Data Protection by Design and by Default) emphasize that storage limitation must be built into system architecture, not bolted on as an afterthought. Controllers must implement automated deletion or anonymization mechanisms where feasible.
What a GDPR Data Retention Policy Must Contain
A compliant GDPR data retention policy is a formal document that maps every category of personal data to a defined retention period. At minimum, it must include:
1. Inventory of processing activities. Each processing activity from your record of processing activities (ROPA) must appear in the retention policy with its associated data categories.
2. Retention period per data category. Each category of personal data must have a specific retention period, expressed in months or years. “As long as necessary” without further specification does not satisfy Art. 5(1)(e). The CNIL has repeatedly rejected retention periods stated as “until the data subject requests deletion” – see CNIL Deliberation SAN-2022-009, 13 January 2022, EUR 300,000 fine against Dedalus Biologie, where retention of medical data without defined limits was cited as a core violation.
3. Legal basis for each retention period. The policy must explain why each period was chosen. Sources include:
- Statutory requirements (e.g., French Commercial Code Art. L.123-22 requires accounting records for 10 years)
- Contractual necessity (e.g., data needed for contract performance)
- Legitimate interest with documented balancing test
- Sector-specific regulation (e.g., AML requirements under Directive 2015/849 mandate 5-year retention)
4. Procedures for deletion or anonymization. The policy must describe what happens when a retention period expires: deletion, anonymization, or archiving under Art. 89(1) GDPR safeguards.
5. Responsibilities. Assign who is responsible for executing retention schedules – typically the DPO or a designated compliance coordinator.
6. Review cycle. The policy must specify how often it is reviewed and updated, typically annually or when a new processing activity is added.
How to Document Retention Periods
Documenting retention periods requires a structured approach that avoids two common failures: being too vague (“reasonable period”) and being too rigid (one period for all data).
Step 1: Map purposes to data categories
Start from your ROPA. For each processing activity, identify the personal data categories involved and the purpose. Example: “Customer support – email address, name, ticket content – purpose: resolving customer inquiries.”
Step 2: Identify applicable legal requirements
For each data category, check whether national or sector legislation prescribes a minimum or maximum retention period. Common examples in EU member states:
| Data category | Typical retention | Legal basis |
|---|---|---|
| Employment records | 5 years after departure (FR) | French Labour Code Art. L.3243-4 |
| Accounting records | 10 years (FR, DE) | Commercial Code requirements |
| Tax documents | 6-10 years | National tax legislation |
| CCTV footage | 30 days maximum (FR) | CNIL recommendation, Labour Code |
| Marketing consent records | Duration of relationship + 3 years | CNIL recommendation |
| Customer contract data | Duration of contract + statute of limitations | Civil Code limitation periods |
Step 3: Apply the necessity test
Where no statutory period exists, the controller must apply the necessity test under Art. 5(1)(e): how long is the data actually needed to achieve the stated purpose? Document the reasoning. A customer support ticket may need to be retained for 2 years to handle follow-up claims; retaining it for 10 years without justification violates storage limitation.
Step 4: Implement technical controls
Retention periods without automated enforcement are aspirational. Configure deletion or anonymization rules in your systems. Legiscope’s automated retention tracking generates alerts when data categories approach their defined expiry, reducing the risk of retention violations across your processing inventory.
GDPR Data Retention Policy Template Structure
The following template structure satisfies regulatory expectations and can be adapted to any organization:
Section 1: Scope and objectives. Define which entities, systems, and data types the policy covers.
Section 2: Definitions. Align with GDPR Art. 4 definitions – personal data, processing, controller, processor.
Section 3: Retention schedule. A table mapping each processing activity to: data categories, retention period, legal basis, deletion method, and responsible person.
Section 4: Archiving rules. Where data is archived rather than deleted, document the Art. 89(1) safeguards applied.
Section 5: Data subject rights. Cross-reference the right to erasure under GDPR and how retention periods interact with deletion requests.
Section 6: Exceptions. Document circumstances where retention may be extended (e.g., pending litigation, regulatory investigation).
Section 7: Review and governance. Annual review schedule, approval process, version control.
How DPAs Enforce Retention Obligations
Supervisory authorities across Europe have made storage limitation a priority enforcement area. The pattern is consistent: organizations that cannot produce a documented retention policy face fines, regardless of whether actual harm occurred.
CNIL Deliberation SAN-2023-025, 12 October 2023, EUR 600,000 fine against SAF LOGISTICS. The CNIL found that the company retained customer data for over 7 years after the last commercial interaction, with no documented retention policy and no automated deletion process. The absence of a formal GDPR data retention policy was treated as an independent violation of Art. 5(1)(e).
ICO Enforcement Notice, 17 March 2023, against NHS Trust. The ICO found that patient records were retained indefinitely despite NHS retention schedules requiring specific disposal timelines. The enforcement notice required implementation of a documented retention policy within 6 months.
AEPD Decision PS/00547/2021, 15 September 2022, EUR 70,000 fine against Vodafone Spain. The AEPD found that customer data was retained for 10 years after contract termination, exceeding the 6-year statutory retention period by 4 years, with no documented justification.
BfDI Decision, November 2023, against 1&1 Telecom. The German federal DPA identified that call center recordings were retained for up to 6 months without a documented retention assessment, violating Art. 5(1)(e) GDPR.
The common thread: it is not enough to have retention periods in someone’s head. They must be written down, tied to legal justifications, and technically enforced.
Common Mistakes in GDPR Data Retention Policies
Mistake 1: One retention period for all data. Applying a blanket 5-year retention to all personal data ignores the purpose-specific nature of Art. 5(1)(e). Different data categories serve different purposes and must have different periods.
Mistake 2: Confusing archiving with active storage. The CNIL distinguishes between active databases, intermediate archives, and definitive archives. Data moved to an intermediate archive must still have a defined expiry and restricted access.
Mistake 3: Ignoring processor retention. Your data processing agreements must include retention obligations. If your processor retains data longer than your policy permits, you are liable as controller under Art. 24 GDPR.
Mistake 4: No review mechanism. A retention policy created in 2018 and never updated does not reflect current processing activities. DPAs expect annual reviews at minimum.
Legiscope automates retention policy management by mapping your processing activities to applicable legal retention requirements and generating alerts when data categories approach their defined retention limits. See how Legiscope automates GDPR compliance documentation.
FAQ
What happens if my organization has no GDPR data retention policy?
DPAs treat the absence of a documented retention policy as a violation of both Art. 5(1)(e) (storage limitation) and Art. 5(2) (accountability). Fines have been imposed even where no data subject complaint triggered the investigation. The CNIL has issued fines ranging from EUR 70,000 to EUR 600,000 specifically for retention failures.
Can I use “until the data subject requests deletion” as a retention period?
No. The CNIL explicitly rejected this approach in multiple decisions, including SAN-2022-009 against Dedalus Biologie. Art. 5(1)(e) requires the controller to proactively define retention periods, not shift that burden to data subjects. The right to erasure under Art. 17 is a separate mechanism that operates independently of retention schedules.
How does a GDPR data retention policy relate to the ROPA?
The ROPA under Art. 30(1)(f) GDPR must include “where possible, the envisaged time limits for erasure of the different categories of data.” The retention policy is the detailed document that supports those ROPA entries. They must be consistent – if your ROPA states 3 years for customer data, your retention policy must document the legal basis for that 3-year period.
Do retention periods differ between EU member states?
Yes. While Art. 5(1)(e) GDPR applies uniformly, the statutory retention periods that justify specific timeframes vary by national law. French accounting records must be kept for 10 years; German tax records for 10 years; Spanish commercial records for 6 years. A GDPR data retention policy for a multinational must account for the longest applicable statutory period per jurisdiction where data is processed.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
