More than two years have elapsed since the entry into force of the General Data Protection Regulation (GDPR), there are still many questions about the principle of limiting the retention period laid down in Article 5.1(e) GDPR, as many companies have doubts when defining protocols for erasing personal data of customers and/or employees.
Just as many companies have opted for the immediate erasure of the data after the relationship with the data subject is ended due to the fear of the high sanctions imposed by the new regulations, many others, either out of disrecognise or for fear of running out of one of their most important assets such as, today, personal data, choose to keep such information indefinitely.
However, neither end is correct. Both the GDPR and the Organic Data Protection and Digital Rights Guarantee Act (LOPDGDD in Spain) establish that personal data must be stored in such a way that the data subjects cannot be identified for longer than necessary, that is, that only the data can be kept for as long as they are needed for the stated purpose and, after that period, during the legal limitation periods, that is, the periods that the law marks during which the data subject was able to exercise legal action; it must also have informed the data subject of the retention period fixed by the undertaking for the processing in question as far as possible.
Data may only be retained for as long as is necessary for the stated purpose.
Therefore, the erasure of data immediately may result in non-compliance with other tax or corporate obligations, since, in case of request or inspection by the authority, companies must have the information requested.
In addition, keeping personal data indefinitely is also a breach of the GDPR. For instance, the Danish Data Protection Agency has imposed a fine of 1.5 million Danish kroner (200,000 euros) on a furniture company for not having deleted the data of its former customers, which it no longer needed to keep in its systems.
During an inspection of that undertaking, one of the questions concerned whether the undertaking had established data retention protocols to determine when to proceed with the deletion of customer data and whether it was actually complied with. However, it was found that such data was still maintained on the old server and that the company also did not have a data erasure protocol.
Likewise, there has also been the first sanction in Germany on a real estate company for retaining documentation with personal data “forever” because the company concerned kept the information and documentation without any time limit. The penalty imposed amounts to EUR 14.5 million, as personal data that ceased to be relevant years ago and which provided information on aspects such as wages, job contract extracts, tax data, bank account statements, health insurance, social security, etc. were detected in real estate.
By landing this principle to a specific assumption, we find ourselves, for example, with the determination of the retention period of the Resumes. Some companies are unaware of the obligations described above and choose or to delete the curricular data at the end of the selection process or to keep it for a large number of years, retaining in the end countless personal information that becomes obsolete in the short term. Although there are no legal limitation periods when establishing the time limit for the retention of curricular data, the recommendation is to keep such information for a maximum of 2 years from the receipt of the Curriculum.
The solution derived from the provisions of the GDPR is the blocking and/or anonymization of personal data.
If the blocking is opted the consequence is that no one will be able to access to process such data, while opting for anonymization of the data means that the data no longer has the consideration of personal data, since through anonymization what is intended is to eliminate the possibilities of identifying a person. Also, another possible solution is pseudonimization. Through it what is sought is to process the personal data without the data that identifies the data subject, but without deleting the link between the data, that is, being able to reverse the process. An example of pseudonimization would be to replace a customer’s first and last name with numbers or codes.
In conclusion, companies may retain the personal data of customers and employees after the end of the commercial or employment relationship, provided that the confidentiality of personal data is guaranteed through the necessary security measures, and until the legal obligation from which a liability can arise ends.
At GlobalSuite Solutions, we have more than 15 years of experience in the field of Personal Data Protection and Information Security. Our specialized consulting teams offer the advice and support needed to help companies define correct protocols for the retention of personal data in order to comply with the requirements required by the GDPR and LOPDGDD (Spain)
- How to use GlobalSuite® to manage your risks 31 August, 2022
- ISO 27036 – Information security for supplier relationships 11 August, 2022
- The Compliance Officer and the Compliance Committee 9 August, 2022