The GDPR's storage limitation principle, set out in Article 5(1)(e), requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This is not a default permission to retain data indefinitely pending a business decision to delete it. It is an active obligation to establish, document, and implement retention periods for each category of personal data that your organisation processes, and to enforce those periods through deletion or anonymisation when the retention period expires.
The storage limitation principle is one of the most consistently enforced aspects of the GDPR in the context of data protection authority investigations. Organisations that lack documented retention policies, retain data well beyond any identifiable business purpose, or have no operational mechanism for deleting data when retention periods expire are at significant regulatory risk. Enforcement actions have addressed retention failures across sectors from HR records held years beyond the employment relationship to customer data retained indefinitely without any identified purpose.
There is no single GDPR-mandated retention period for most categories of data. The storage limitation principle requires that retention periods be determined by reference to the purposes for which data is processed: retention is lawful for as long as the purpose persists, and must end when the purpose ends or expires. Organisations must therefore define the purposes of each processing activity with sufficient precision to derive a corresponding retention period.
Several external sources constrain or inform retention periods. Belgian and EU legislation mandates minimum retention periods for specific categories of data: employment records must typically be retained for seven years for tax purposes; accounting records for seven years under Belgian accounting law; company formation and governance documents for ten years after dissolution; and health records for twenty years in most clinical contexts under Belgian law. Legal proceedings extend the retention period for documents relevant to active or foreseeable claims. These minimum and extended periods must be reflected in the retention policy alongside the default business retention periods.
For data where no statutory minimum applies, the business purpose and the applicable limitation period for potential claims are the primary determinants. Customer data in a transactional relationship is typically retained for the duration of the relationship plus the applicable limitation period for contractual claims (generally five years under Belgian law for commercial contracts). Marketing contact data collected with consent is retained for as long as consent remains valid and the contact remains active, with a defined period of inactivity triggering review or deletion. Employee data is retained for the employment relationship plus the applicable limitation periods for employment-related claims.
A retention policy that exists on paper but is not operationally enforced provides no compliance value. The practical implementation of data retention requires a documented retention schedule covering all categories of personal data processed by the organisation, system configurations that automate deletion or trigger deletion reviews when retention periods expire, training for staff who make ad hoc decisions about whether to retain or delete data, a process for applying legal holds when litigation or regulatory investigation makes deletion inappropriate, and an audit trail demonstrating that the policy is actually followed.
For organisations using cloud services, SaaS platforms, or third-party data processors, retention obligations extend to data held by those processors: the data controller is responsible for ensuring that processor contracts include appropriate retention and deletion obligations, and that processors actually delete data when instructed to do so and when the retention period under the processing agreement expires.
A formal retention schedule is both a legal requirement (it flows from the accountability obligation under Article 5(2) GDPR) and a practical necessity for operational implementation. It should be documented within or alongside the Records of Processing Activities (RoPA) and should be accessible to the DPO and the staff responsible for data management. The schedule should specify, for each processing activity or data category, the retention period, the basis for that period (business purpose, legal obligation, limitation period), and the action to be taken at expiry (deletion, anonymisation, or review). Supervisory authorities that inspect GDPR compliance routinely request the retention schedule as one of the primary accountability documents.
Backup systems present a practical challenge for data retention compliance. The GDPR does not require that data be deleted simultaneously from all systems including backups, but it does require that data in backups not be restored to active processing once its retention period has expired. The pragmatic approach is to document the backup retention cycle, ensure that backups are overwritten within a defined period that is proportionate to the business risk, and establish a policy that data subject to deletion or DSARs is excluded from restoration from backup. Where a specific erasure request has been fulfilled in active systems, the erasure from backups should follow the normal backup rotation cycle.
The retention period for employee data after the employment relationship ends depends on the category of data and the applicable statutory and limitation periods. Payroll and tax records are typically retained for seven years under Belgian tax law. Social security documents for five years. Employment contracts and records relevant to potential discrimination or unfair dismissal claims are generally retained for five years from the end of the employment relationship, corresponding to the limitation period for employment law claims under Belgian law. Health records related to occupational health are retained for twenty years. Training and certification records may justify longer periods if relevant to ongoing professional liability. Personal data that has no ongoing purpose after employment ends (personal contact details, biographical information) should be deleted promptly.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
