In 2021, the French supervisory authority (CNIL) imposed a fine of €1,750,000 on SGAM AG2R LA MONDIALE.
CNIL said in the decision that the controller violated the storage limitation principle by processing the data of millions of users for an extensive amount of time. Although the company defined data retention periods, it did not directly implement them in its IT systems. The data controller failed to comply with the maximum statutory retention periods stipulated in the Insurance and Commercial Code.
Italians have also not fallen behind their neighbours, and in 2022, their supervisory authority (GDPD) imposed a fine of 20 million euros on Clearview AI Inc. The decision stated that 3.8 million were imposed, in particular, for violations of several provisions of Article 5 of the GDPR. GDPD noted that the company did not establish any retention periods, thereby violating the “storage limitation” principle.
From the imposed significant fines and identified violations, it becomes evident that proper and, most importantly, time-limited retention of personal data is an essential element of GDPR compliance.
Read the article to learn more about achieving this in practice.
The “storage limitation” principle
Article 5(e) of the GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. It is the main sense of the storage limitation principle. Indeed, that is the fundamental essence of the “storage limitation” principle.
If personal data is no longer necessary for the company, it must either erase or anonymise it and store it while adhering to the relevant technical and organisational requirements. In practice, anonymization is a complex process that requires ensuring that the data subject can never be identified from the data. Therefore, the GDPR does not apply to such data.
How can companies ensure and demonstrate compliance with the “storage limitation” principle to avoid any grounds for penalties by SA? The key lies in having a well-defined and effectively implemented Data Retention Policy.
Data Retention Policy: what is it, and what does it consist of?
Data Retention Policy is a protocol (a set of rules and procedures) approved by the company, which, among other things, determines the duration of storage and processing of personal data.
The GDPR does not directly provide for such a document, but it is a practical tool of the general data management strategy in the company, which ensures compliance with GDPR requirements.
For example, in 2022, the French supervisory authority (CNIL) imposed on DISCORD INC. a fine of 800,000 euros. Among the violations, the CNIL noted that the company did not have a written Data Retention Policy and continued to store the data of users who were not part of the program for 3 or even 5 years.
What should a Data Retention Policy include?
- specific data storage periods;
- frequency of backups;
- technical and organisational rules and requirements for data storage;
- methods of accessing data;
- guidelines for data erasure or anonymization;
- rules in case of violation.
How to determine how long to store personal data?
The GDPR does not contain data retention periods but only requires that it be no longer than necessary for processing purposes. Therefore, it is up to the controller to determine specific periods.
The data retention periods must be personalised for each category of data in accordance with the purpose and basis of processing. Defining the same term for all categories of personal data will be considered a violation of the “storage limitation” principle. In particular, in 2020, the Italian Supervisory Authority decided that Tim SpA violated the principle of “storage limitation” by defining the same retention period (6 months) for different purposes and categories of data.
So, first of all, the company needs to clearly define which categories of personal data are being processed. Based on these categories, it is essential to check the national legislation for the specified data retention periods.
Where to look for data retention periods in national legislation?
- tax and financial codes and laws;
- employment legislation;
- legislation on social protection;
- medical legislation;
- legislation on the protection of consumer rights;
- laws governing telecommunications and the Internet;
- legislation in the field of intellectual property;
- criminal, administrative and civil codes;
- corporate legislation and others.
For example, under the Irish Organisation of Working Time Act 1997, employee data must be kept for 3 years.
Therefore, in each specific case, the laws in which you need to look for data retention periods depend on the specific categories of personal data the company processes.
If there are no retention periods for certain categories of data or processing purposes in the legislation, then the company should determine the reasonable retention period itself, based on contractual obligations or business needs. At the same time, it is worth considering that such periods should be justified. For example, the Finnish supervisory authority imposed a fine on ParkkiPate Oy in 2021 and stated that data cannot be stored indefinitely for use by the controller in possible future legal proceedings.
Moreover, such periods should not only be established in the Policy and implemented but also communicated to data subjects. In particular, this was noted by the Finnish supervisory authority in the already-mentioned decision regarding ParkkiPate Oy. The SA indicated that data storage periods should be limited and communicated to the data subjects.
Best Practice Recommendations
Based on the fines imposed by the supervisory authorities, the following useful recommendations can be identified:
- the company should have a Data Retention Policy;
- the Policy should clearly specify the data retention periods;
- retention periods for certain categories of data may be found in national legislation, and they should be taken into account;
- data storage terms should be individualised and justified according to each category of personal data, grounds and purposes of the processing;
- such periods should be communicated to the data subjects;
- The Data Retention Policy and, in particular, the retention periods, should be directly implemented in the company’s activities and IT systems;
- the Data Retention Policy should also include backup provisions and technical and organisational requirements for data retention.
Therefore, the Data Retention Policy is a comprehensive document that is an important tool for GDPR compliance. When effectively implemented in practice, it acts as a tangible confirmation of adherence to the “storage limitation” principle.
Contact Legal IT Group to develop an effective Data Retention Policy.