Library / Glossary

Retention Period

The defined period for which personal data is kept before being deleted or anonymised, set by reference to the purpose of processing.

GDPR Article 5(1)(e) — the storage limitation principle — requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."

The principle has two practical consequences:

  • A retention period must be set, and it must be specific (a number of years, a defined trigger event, or both).
  • "As long as needed for our business purposes" is not a retention period; it's a refusal to set one.

Setting a retention period

Three factors usually determine the period:

  1. The purpose of the processing. Marketing data is typically retained for as long as the contact remains a customer plus a defined wind-down. Employment data is retained for the duration of employment plus statutory periods (often six years for tax and pensions, longer for some pension schemes).
  2. Legal obligations. Tax law, employment law, sectoral regulation. These set floors below which deletion isn't possible.
  3. Defence of legal claims. A common justification for retaining data for the limitation period of relevant claims (typically 6 years in England and Wales for breach of contract; varies by jurisdiction).

Once a retention period is set, the controller is committed to it. Quietly extending retention without updating the privacy notice, the RoPA, and the data subject communication is non-compliant.

Where vendors come in

Two failure modes are common:

  • Vendor retention exceeds controller retention. The controller's privacy notice says customer data is retained for 24 months. The vendor's privacy notice (or DPA appendix) says they retain processed data for 60 months. The longer period wins by default unless the contract requires deletion on a shorter schedule.
  • Backup and log retention sprawl. Application data may be deleted after 24 months, but database backups, audit logs, and observability tooling may keep copies far longer. A monitoring vendor that retains 13 months of detailed request logs is, in effect, retaining personal data for 13 months regardless of what the customer's privacy notice says.

Catching retention drift in a vendor's documents is one of the higher-value monitoring outcomes — it's a quiet way for the controller to fall out of compliance with its own commitments.

Related terms