How long may I keep customer data?

That depends on the purpose. Active customer data may be kept for the duration of the relationship. After the relationship ends, you only keep it if you have a legal retention obligation (e.g. invoicing data 7 years) or can demonstrate a legitimate interest.

Must I delete data automatically?

The GDPR does not prescribe automatic deletion, but it is recommended. Set deletion reminders or configure your systems to automatically delete data after the set period.

What if I'm not sure which period to apply?

First check if there is a legal retention obligation. If not, determine the period based on the purpose for which you process the data. Document your choice and the reason - that is the most important thing.

GDPR Data Retention - How Long May You Keep Data?

The GDPR requires you not to keep personal data longer than necessary. But how do you determine the right period? This article explains how to create a data retention policy with concrete examples per data type.

Why is this important?

The GDPR is clear: you may not keep personal data longer than necessary to achieve the purpose for which you collected it. Yet most businesses keep data much longer than necessary, simply because nobody ever thinks about it.

The risk? During an inspection by the supervisory authority, or when a customer submits a deletion request, you must be able to explain why you still hold certain data. “We never thought about it” is not a valid answer.

Common retention periods

Below is an overview of common retention periods. Note: these are guidelines - always check the specific legislation that applies to your situation.

Data type	Legal basis	Retention period
Accounting documents (invoices, payments)	Tax legislation	7 years
Personnel files	Employment law	5 years after end of employment
Application data (rejected)	Legitimate interest	Max. 4 weeks (up to 1 year with consent)
Customer data (active relationship)	Contract performance	Duration of relationship
Customer data (after termination)	Legitimate interest	Max. 2 years
CCTV footage	Legitimate interest	Max. 1 month (unless incident)
Website analytics (IP addresses)	Consent / legitimate interest	Max. 26 months
Contact form submissions	Legitimate interest	Max. 2 years after last contact
Newsletter subscribers	Consent	Until consent is withdrawn

How to create a retention policy

Step 1: Inventory your processing activities

You cannot set retention periods if you don’t know what data you process. Start with your processing register - all processing activities are listed there.

Step 2: Determine the period per activity

Ask yourself per processing activity:

Is there a legal retention obligation? If so, that applies
If not, how long do I really need the data for the purpose?
Is there an industry standard I can follow?

Step 3: Document your choices

Record per processing activity:

Which retention period you apply
Why (legal basis or justification)
What happens when it expires (deletion, anonymisation)

Step 4: Implement and monitor

Set reminders for checking and deleting expired data
Configure automatic deletion where possible
Check at least annually whether your policy is still current

Common mistakes

Keeping everything “forever” because it’s easier. This is a GDPR violation
Not distinguishing between active and inactive customers
Forgetting backups: if you delete data but it’s still in a backup, you’re not done
No policy on paper: if you haven’t documented it, it doesn’t exist for the supervisory authority

auto_awesome Track retention periods automatically?

GDPRWise helps you set the right retention period for each processing activity and reminds you when data needs to be deleted.

Start your free scan

Data Retention: How Long May You Keep Personal Data?