To ensure that the company is in line with the GDPR (General Data Protection Regulation), it must be able to assess for how long personal data are to be retained. Personal data also include (among other things) e-mail addresses, which are handled by company ABC.

Why are e-mail addresses processed by ABC?

• To send marketing offers;
• To contact clients as regards the provision of services arising from concluded contracts; and
• To protect legitimate interests of the company (for the necessary period, the company retains the originals of concluded contracts with its customers including an e-mail address due to the potential risk of legal disputes).

The Detective knows that in this case the main lead relates to the “storage limitation principle”. Under this principal, personal data may only be retained for a period necessary for processing for the given purpose. If there are not any data retention periods set after the expiry of which personal data must be deleted or anonymised, the personal data controller must determine the rules for retaining such data, independently for each purpose of processing. If the personal data in question are processed for multiple purposes, it is possible to retain them until the longest retention period has expired.

Three pieces of advice from the GDPR Detective: measures to be taken in your company as well:

1. For each purpose of processing, determine the period over which it is required to process personal data for the purpose in question. In particular, this period is to be found in legal regulations, rulings of authorities, standards, and recommendations of authorities as regards personal data protection.
2. Set up your processes and systems to ensure that the relevant personal data are always erased, automatically or manually, after the expiry of the respective period.
3. Please note that personal data erasure means erasing all forms of the data in question, that is not only from IT systems but also, for example, the physical shredding of documents.

Company ABC already has an idea of how it should handle the period of personal data retention. After seeing the detective, it has decided that…

• Marketing offers will be sent for one year from terminating the contractual relationship between the company and the respective client (this will be adjusted in consents to personal data processing).
• With regard to the services provided under a contractual arrangement, clients will be contacted over the contractual relationship between the company and the respective client, not in subsequent periods.
• The originals of contracts with clients will be retained by the company for 10 years after the contractual relationship between the company and the respective client has been terminated which corresponds to the statute of limitations in respect of all potential claims arising from the contract.

Are you seeking a solution to a similar or entirely different case? Why don’t you make an appointment with the Detective and order our online application GDPR Detective. Our private eye will resolve personal data protection mysteries for you!