This is the retention problem. Data accumulates by default. Deletion requires a decision, a schedule, and a system that actually enforces it. GDPR Article 5(1)(e) — the storage limitation principle — makes that inertia a compliance failure. France's CNIL fined Free Mobile €27 million in early 2026 specifically for retention failures. A Polish bank was fined the same year for processing data beyond what its stated purposes required. These were not breach cases. No data was stolen. The organizations simply kept personal data longer than they had any legal basis to hold it.

TL;DR

• GDPR Article 5(1)(e) requires personal data to be kept no longer than necessary for the purpose it was collected for. This is an active, enforceable obligation — not a principle to aspire to.
• GDPR does not prescribe specific retention periods. Organizations must define them, document them, justify them against a lawful basis and a stated purpose, and actually enforce them through deletion or anonymization.
• The retention schedule is one of the first documents supervisory authorities request during an inspection. "We haven't gotten around to deleting it" is not a defensible answer.
• Retention obligations flow to processors. Your vendors must delete data when their contractual period expires, and you are responsible for ensuring they do

What the Storage Limitation Principle Actually Requires

GDPR Article 5(1)(e) states that personal data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." That sentence contains the entire compliance obligation, and unpacking it reveals the three questions every retention decision must answer.

First: what is the purpose? Personal data can only be retained as long as the purpose for which it was collected remains active. When that purpose ends, the legal justification for holding the data ends with it. Data collected to fulfill a contract can be retained for as long as the contract is live and through the applicable limitation period for legal claims. Data collected under consent for marketing can be retained until the consent is withdrawn. Data collected to comply with a legal obligation — tax records, accounting documents — can be retained for the period that legal obligation specifies, even if consent would otherwise have lapsed.

Second: is it still necessary? "Necessary" is judged against the declared purpose at the time of collection, not against any future use the organization might imagine. Retaining behavioral analytics data because it might be useful for a model you have not decided to build yet is not a lawful basis for retention. Retaining customer purchase history because the customer might someday make another purchase is not a lawful basis for indefinite retention. The test is whether the data is actively necessary for the specified purpose — not whether it might theoretically have value.

Third: is it still in a form that permits identification? This is where anonymization enters. Data that has been irreversibly anonymized — rendered incapable of identifying an individual directly or indirectly, with no re-identification possible — falls outside the GDPR's scope. Truly anonymized data can be retained indefinitely. Pseudonymized data, which can be re-linked to an individual using a separately held key, remains personal data and remains subject to retention limits. The standard for genuine anonymization is high and must be documented — organizations that claim data is anonymized without robust technical measures backing that claim are exposed to enforcement challenge.

The accountability principle under Article 5(2) means that organizations must be able to demonstrate compliance with the storage limitation principle, not just declare it. Maintaining a data map that documents every processing activity, its purpose, its lawful basis, and the retention period tied to that purpose is both a legal requirement under Article 30 and the operational foundation without which retention compliance is impossible to implement consistently.

How Retention Connects to Lawful Basis

Retention periods are not independent of lawful basis — they are derived from it. Each lawful basis for processing implies a natural endpoint at which the justification for holding the data expires, and that endpoint defines the maximum retention period.

Processing under contractual necessity allows retention for the duration of the contract and through the applicable limitation period for legal claims arising from the contract. Across EU member states, civil limitation periods typically range from three to six years. A SaaS platform that processes customer data to deliver its service can retain that data throughout the subscription and for a defensible post-termination period — typically aligned with the jurisdiction's contractual limitation period. Once that period expires, the original contractual justification is gone.

Processing under legal obligation produces the clearest retention periods because external law specifies them. Tax and accounting records are commonly subject to six- to seven-year retention mandates across EU member states. Employment and payroll records typically carry statutory retention of five to six years after the employment relationship ends, though the specific period varies by jurisdiction. Where a legal obligation mandates retention, it overrides both consent withdrawal and deletion requests — a data subject cannot successfully request erasure of an invoice that your VAT obligations require you to keep.

Processing under legitimate interests requires a documented balancing test that assesses whether the organization's interest outweighs the data subject's privacy rights, and that test includes an assessment of how long retention is proportionate. An organization that has run a legitimate interests assessment (LIA) justifying behavioral profiling for fraud detection cannot simply retain that profiling data indefinitely — the LIA must be tied to a specific retention period that is proportionate to the stated risk management purpose.

Processing under consent creates the most operationally sensitive retention obligation. Consent-based processing must cease when consent is withdrawn, and the personal data collected solely on that basis must be deleted when the consent is withdrawn unless another lawful basis independently justifies continued retention. Marketing email lists built on consent must be deleted — not just suppressed — when a subscriber unsubscribes, unless a separate legitimate interest in retaining a suppression record to honor the opt-out can be documented. Processing subject to the GDPR's right to erasure intersects directly with consent-based retention — when consent lapses or is withdrawn, the erasure obligation is triggered unless a different lawful basis applies.

Retention Periods by Data Category: Practical Examples

GDPR does not publish a schedule of retention periods. What it requires is that organizations document and justify their own schedules. The following periods represent common practice, but every organization must verify them against its specific purposes, the applicable national law overlay, and its documented lawful basis.

Customer account and contractual data is typically retained for the duration of the account relationship plus the applicable contractual limitation period — commonly six years in many EU jurisdictions after the relationship ends. The specific period should be tied to the local limitation period for civil claims rather than selected arbitrarily.

Financial records — invoices, purchase histories, accounting documents — are typically governed by statutory retention mandates. Across most EU member states, tax and accounting records must be retained for between five and ten years. The exact period depends on national implementation of EU accounting and tax directives and should be verified against the law of each operating jurisdiction.

Marketing and direct communication data — email lists, lead records, behavioral tracking data used for advertising targeting — should be retained only for as long as the consent or legitimate interest justifying the communication is active. When consent is withdrawn, deletion should be prompt. Where contacts have been inactive and have not engaged with communications for an extended period (commonly 12 to 24 months, depending on the organization's reasonable assessment), the original basis for retaining them in an active marketing system is likely exhausted and re-consent or deletion is required.

Employee and HR data is subject to layered retention requirements. Payroll and tax records typically carry statutory retention of six to seven years post-employment in most EU jurisdictions. Performance and disciplinary records are generally retained for the duration of employment plus the limitation period for employment claims. Job applicant data for unsuccessful candidates should typically be deleted four to twelve weeks after the recruitment process ends, unless the candidate has consented to being considered for future roles, in which case a defined period — commonly up to twelve months — can be justified.

CCTV and physical access logs are typically retained for thirty to ninety days in the absence of a specific incident requiring preservation as evidence. Website analytics session and behavioral data tied to identifiable user IDs requires a retention period tied to the analytics purpose — commonly thirteen to twenty-six months — and should be reviewed against whether identification is genuinely necessary for the analytics function or whether aggregation or anonymization can serve the same purpose with a shorter or eliminated retention requirement.

Support and customer service records should be retained for the duration of the support relationship and through the limitation period for claims arising from the services provided. Records of closed accounts with no active claims can typically be safely deleted after the applicable limitation period. Log data and audit trails, while operationally important for security monitoring, frequently retain personally identifiable information well beyond the period it serves a security purpose — security logs are a common source of over-retention that receives increasing supervisory attention.

Building a Retention Schedule

The retention schedule is the operational translation of retention compliance. It specifies, for each category of personal data the organization processes, the retention period, the basis for that period, and the action taken at expiry. Supervisory authorities treat it as a primary accountability document and request it as a standard step in inspections and investigations.

A compliant retention schedule is produced from the organization's Records of Processing Activities (RoPA). For each processing activity documented in the RoPA, the schedule records the category of personal data involved, the purpose and lawful basis, the retention period derived from that basis, and the deletion or anonymization process that fires when the period expires. The schedule is a living document — it must be updated when processing activities change, when purposes change, when the legal basis changes, and when national or EU-level legal retention obligations change.

Retention periods documented in the schedule must also be disclosed to data subjects. Privacy notices are legally required to inform individuals about the criteria used to determine retention periods or, where possible, the specific periods themselves. A privacy notice that says "we retain your data for as long as necessary" without specifying what that means in practice does not satisfy the Article 13 and 14 transparency requirements. Structuring operational data protection procedures so that retention schedules, deletion workflows, and RoPA maintenance function as integrated processes rather than separate compliance tasks is what produces retention compliance that holds up under scrutiny, rather than compliance that exists only on paper.

Technical Enforcement: Making Deletion Actually Happen

A retention schedule that is not technically enforced is a liability, not a compliance asset. It documents the organization's awareness of its obligations while providing evidence that it is not meeting them. The gap between a documented retention policy and actual data deletion is precisely what enforcement investigations exploit.

Automated deletion is the only operationally sustainable approach for organizations processing personal data at scale. Manual review processes are error-prone, resource-intensive, and inevitably produce inconsistent results across systems. Automated deletion means configuring each system that holds personal data — the CRM, the HR platform, the analytics database, the email marketing tool, the customer support platform, the cloud storage environment — to apply retention tags at the point of data ingestion, triggering deletion or anonymization workflows when the retention period expires.

Event-triggered deletion handles the cases where the retention endpoint is an event rather than a calendar date. When a user deletes their account, deletion is triggered. When a marketing consent is withdrawn, deletion is triggered. When an employee's post-termination retention period expires, deletion is triggered. These workflows must be designed to cascade across all systems that hold the relevant data — not just the primary system. A deletion from the CRM that leaves the same data intact in the data warehouse, the analytics platform, and the email marketing tool is not a compliant erasure.

Backups present a specific implementation challenge. GDPR does not require that data be simultaneously deleted from all backup systems the moment its retention period expires. What it does require is that data retrieved from backup not be restored to active processing after its retention period has expired. The practical approach is to document the backup retention cycle — typically thirty to ninety days depending on the backup architecture — ensure that backups are overwritten within a period proportionate to business risk, and establish a protocol that explicitly prohibits restoring data from backup that has been deleted from active systems for retention reasons. Where a specific erasure request has been fulfilled, that individual's data should be excluded from any subsequent restoration from backup.

Archiving is a recognized intermediate state between active processing and deletion. Data moved to archive is subject to restricted access, is not available for active operational use, and is held for a documented purpose such as legal hold or statutory compliance. Archiving does not extend the retention period — it provides a controlled environment for data that must be held but should not be active. Organizations that use archiving as an indefinite retention mechanism rather than a transitional state between active processing and deletion are misusing it and creating compliance risk.

Third-Party Processors and Retention Obligations

The accountability obligation for retention does not stop at the organization's own systems. Under GDPR Article 28, data processing agreements with processors must specify the retention period applicable to the data being processed and must obligate the processor to delete or return data to the controller at the end of the services. This means that every vendor, SaaS platform, analytics provider, and third-party service that processes personal data on your behalf must have a DPA that addresses retention and must actually delete that data when instructed or when the contractual period expires.

Controllers bear responsibility for verifying that processors honor their deletion obligations. "We told them to delete it" is not sufficient — the controller must have mechanisms for confirming that deletion occurred. DPAs should include audit rights, deletion confirmation requirements, and provisions for the controller to verify processor compliance with the retention terms. Understanding how data minimization and retention obligations flow through the vendor chain — and the enforcement pattern that has emerged when those obligations are not operationalized — is essential context for building a vendor retention governance program that actually works.

Sub-processor chains add a further layer of complexity. If your analytics vendor sub-processes data through a data warehouse provider, that sub-processor relationship must also be covered by contractual provisions that extend your retention obligations downstream. The controller's responsibility for data processed on its behalf does not terminate at the first processor.

Common Retention Failures

The most prevalent retention failure is the absence of any defined retention schedule — organizations that have privacy policies describing data types and purposes but have never translated those descriptions into specific time limits tied to specific data categories. Without defined periods, no deletion process can be configured, no audit can verify compliance, and no accountability demonstration is possible.

The second most common failure is the "keep everything just in case" approach to litigation holds and legal risk management. Organizations that routinely apply blanket legal holds to all data out of an undefined concern about future disputes are using legal hold as a retention extension mechanism rather than as a targeted pause on specific data subject to specific proceedings. GDPR does not permit indefinite retention on the basis of hypothetical legal risk — legal holds must be tied to specific proceedings or credible threats of proceedings, must be documented, and must be lifted when the relevant matter is resolved.

Failure to delete from backups, archived systems, and shadow copies is structurally the most common gap between policy and practice. Deletion from the primary operational database while the same data persists in backup copies, data lake snapshots, and development environments means the deletion has not been completed. Any system that holds a copy of the personal data is within scope of the retention obligation.

FAQ

What are GDPR data retention requirements? 

GDPR requires organizations to retain personal data for no longer than necessary for the purpose it was collected for, document the retention period and its justification, and enforce deletion or anonymization at the end of the period. Specific periods are not mandated by GDPR itself but may be specified by national law for particular data categories.

How long can personal data be stored under GDPR? 

As long as the purpose for which it was collected remains active and the retention is necessary for that purpose. Contractual data is typically retained through the applicable legal limitation period. Legally mandated records (tax, payroll) are retained for the period the relevant law specifies. Consent-based marketing data is retained until consent is withdrawn.

Does GDPR require automatic deletion? 

Not prescriptively, but automated deletion is the only practically sustainable approach for organizations processing data at scale. Manual deletion processes are structurally unable to maintain consistent compliance across all systems, including backups, archives, and third-party processors.

Can data be kept indefinitely? 

No, unless a legal obligation requires indefinite retention for a specific category of data and that obligation is documented. Vague business justifications for indefinite retention do not satisfy the storage limitation principle.

How do companies enforce retention policies? 

By configuring systems to apply retention tags at data ingestion, triggering automated deletion or anonymization workflows at period expiry, establishing event-triggered deletion for consent withdrawal and account closure, including deletion obligations in all processor DPAs, and auditing retention compliance at least annually across all systems that hold personal data.

GDPR's storage limitation principle is straightforward in theory and consistently underimplemented in practice. The €27 million Fine Mobile fine, the Polish bank enforcement, and the pattern of supervisory authority investigations into over-retention across analytics, HR, and marketing data all point to the same structural gap: organizations that defined their retention obligations in policy but never built the operational infrastructure to enforce them in systems. The accountability obligation requires not just knowing what the rules are, but being able to demonstrate at any moment that you are following them.

See how Secure Privacy's privacy governance platform helps organizations build retention schedules, automate deletion workflows, and maintain audit-ready documentation that demonstrates GDPR storage limitation compliance at scale.