GDPR : Managing Data retention periods for personal data

Discover the keys to perfect GDPR compliance. Understand the nuances of managing Data retention periods for personal data, between deletion, archiving, and legal limits.

The General Data Protection RegulationGDPR) establishes fundamental principles governing the processing of personal data, among which Data retention periods frequently raise questions.

1 - Data retention retention periods: a legal and regulatory framework

 Data retention periods may be defined by legal or regulatory requirements, such as Data retention of invoices for 10 years (Article L123-22 of the French Commercial Code) or of the single personnel register for 5 years after the employee's departure (Article R1221-26 of the French Labor Code).

The CNIL (National Commission for Information Technology and Civil Liberties) also intervenes by setting specific durations, for example, statistical cookies can be kept for 13 months according to Deliberation n°2020-092 of September 17, 2020 of the CNIL (National Commission for Information Technology and Civil Liberties) Similarly, prospect data collected directly may be kept for 3 years from the last contact with the prospect, in accordance with CNIL (National Commission for Information Technology and Civil Liberties)) Simplified Standard n°48.

2 - Variations according to qualification: Data controller or processor

 Data retention periods vary depending on whether the entity is a data controller or a data processor. A data controller complies with Data retention periods for data it processes on its own behalf.

On the other hand, a processor, in accordance with Article 28 of the GDPR, is obliged to delete all client data at the end of the contractual relationship. This obligation, while clear on the surface, requires careful analysis in light of other binding obligations on the company.

3 - Limits to data deletion obligations

Any request for the deletion of data is subject to limits determined by the company's rights and obligations, in particular limitation periods, legal or regulatory obligations, as well as reasons of public interest.

Data deletion under Article 17 of the GDPR must be exercised with care, taking into account these various constraints. To illustrate this concretely, let's take a few concrete examples: 

• A prospect requests the deletion of his data: due to legal obligations, it may be necessary to keep a record of his refusal, if only to avoid sending him unwanted solicitations. 
• A client requests the deletion of his or her data: Similarly, in the case of a client, the request for total data deletion may be hampered by legal obligations linked to invoice Data retention . It is imperative to respect these constraints while ensuring GDPR compliance.

The management of suppression requests must be adapted to the specificities of each situation, taking into account the multiple legal and regulatory facets that frame these processes.

4 - Distinction between deletion and archiving

Contracts and legal texts often refer simply to the deletion of data.

This underlines the importance of remembering the definition of a processor, which can be a natural or legal person processing personal data on behalf of the controller.

In reality, the deletion process is only immediate in certain cases. Many data must undergo archiving phases before being permanently deleted. Understanding these nuances is essential to ensure full compliance with GDPR requirements for managing Data retention periods for personal data.

✅ In short, managing these Data retention periods is a complex challenge, requiring a thorough understanding of legal, regulatory and contractual obligations. Ideally, for a case-by-case assessment, it is advisable to refer to your DPO (Délégué à la Protection des Données), who will be able to provide specific expertise tailored to each situation.