What does “storage limitation” mean under EU Data Protection law?
There are seven basic data protection principles under EU data protection law. The principles lie at the heart of the law and, although they don’t give hard and fast rules, they embody the spirit of the regulatory framework. Therefore, compliance with the principles is a fundamental building block to any good data protection practice. The seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
The fifth principle is the principle of “storage limitation” (GDPR Article 5 (1) (e)).
Article 5 of GDPR
(1) Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
The principle of “storage limitation”
EU data protection law does not set specific time limits for different types of data but requires that controllers and processors set limits based on the purposes of the processing.
Setting limits to storage — with clear policies on retention periods and erasure — is not only a data protection principle but also a good data governance policy. Erasing or anonymising personal data no longer needed reduces risks and helps comply with the data minimization and accuracy principles. It also reduces the burden of dealing with queries about retention and individual requests for erasure. It is also important to remember that controllers must also respond to subject access requests for data they hold, which is more difficult if old data is kept for longer than needed.
In order to determine retention periods, organizations must consider several factors including to what extent they need to keep a record of a relationship with an individual once that relationship ends, to what extent they need to keep information to defend themselves from possible future legal claims, industry standards and guidelines, and any legal or regulatory requirements. Unless there is some reason for keeping it, personal data should be deleted or anonymized.
Example
A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons for a further set time.
Example
A bank may need to retain images from a CCTV system installed to prevent fraud at an ATM machine for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement. In contrast, a pub may only need to retain images from their CCTV system for a short period because incidents will come to light very quickly. However, if a crime is reported to the police, the pub will need to retain images until the police have time to collect them.
Example
An employer should review the personal data it holds about an employee when they leave the organization’s employment. It will need to retain enough data to enable the organization to deal with, for example, providing references or pension arrangements. However, it should delete personal data that it is unlikely to need again from its records — such as the employee’s emergency contact details, previous addresses, or death-in-service beneficiary details.
Example
A business receives a notice from a former customer requiring it to stop processing the customer’s personal data for direct marketing. It is appropriate for the business to retain enough information about the former customer for it to stop including that person in future direct marketing activities.
The word ‘deletion’ can mean different things in relation to electronic data but, from the point of view of data protection law, the key issue is to ensure that the data is put beyond use.
- It is important to note that there is a difference between permanently deleting personal data and taking it offline. If personal data is stored offline, this should reduce its availability and the risk of misuse or mistake but it still constitutes processing. Storing it offline is only permitted under EU data protection law where the entity has a valid purpose for holding the data.
Anonymising data so that it is no longer “in a form which permits identification of data subjects” is an alternative to erasure.
- Personal data that has been pseudonymised — eg key-coded — will usually still permit identification Therefore, although it may be a valid tool for compliance with data minimisation and security, it does not equate erasure for the purposes of storage limitation.
Although the general rule is that data cannot indefinitely be held ‘just in case’ it might be useful in future, there is an inbuilt exception for data kept for archiving (archiving purposes in the public interest), research (scientific or historical research purposes) or statistical purposes. Appropriate safeguards must be in place to protect individuals (e.g. pseudonymisation).
What is a ‘retention policy’?
Retention policies or retention schedules list the types of record or information held, what they are used for, and how long they are to be kept. These help you establish and document standard retention periods for different categories of personal data.
A retention schedule may form part of a broader ‘information asset register’ (IAR), or your general processing documentation.
To comply with GDPR documentation requirements under Article 30, it is necessary to establish and document standard retention periods for different categories of information held. It is also advisable to have a system for ensuring the organization adheres to the retention periods in practice, and for auditing retention at appropriate intervals.
Small organization undertaking occasional low-risk processing may not need a documented retention policies but should regularly review the data held and delete or anonymize what is no longer needed.
What is new under GDPR?
ICO Checklist
The Information Commissioner’s Office website includes a helpful Checklist that summarizes this principle:
Consequences of non-compliance
Failure to comply with data protection principles may lead to substantial fines. Article 83(5)(a) of GDPR states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
NOTES:
Other relevant sections in this topic include Article 17(1)(a), article 30(1)(f) and Article 89 of GDPR + recital 39
