Examples of data retention and deletion times

In previous bulletins, the following profiles on personal data retention were examined: 

  • Inclusion of data retention among processing operations and the limitation of retention for the minimum period of time necessary to achieve the stated purpose (Bulletin of May 9, 2024)
  • The legal value of determining retention times (Bulletin of May 23, 2024)

In this round we focus on some time limits – collected according to an example criterion of the most common and general cases – to support the creation of that “dictionary of data retention times” that each data controller should make and update, in order to be able to respond adequately to the requirements of the GDPR on the register of processing, information to data subjects and access requests. 

Some of these timeframes are dictated by regulations; others, by orders of the Italian Data Protection Authority; and still others are inferred from practices deemed to be correct.

Example cases

Five-year or ten-year prescription

Articles 2946 (ten-year ordinary period of limitation for the exercise of rights) and 2948 Civil Code (five-year short statute of limitations, in general, for periodic payments due annually or set in shorter terms, including payment of bills) constitute system rules.

For example,

  • personal data necessary for the exercise of rights arising from contractual obligations may be retained for ten years after the termination of the contract (Art. 2946 Civil Code, see prov. of Dec. 11, 2019, web doc. no. 9244365); in this sense it is provided by the Code of Conduct for Employment Agencies for data processed in the context of employment relationships (11 years after the termination of the employment relationship, i.e., “taking into account the ordinary limitation period (…) with the addition of one year, the technical term necessary for the deletion to be completed“)

Condividi

Post Recenti

EDPB: Data processing supply chain – 3

The Foodinho case

A verbal communication can be a “processing”