Skip to content
Skip to page content

8. Define storage periods for personal data and erase unnecessary data

Limiting the storage of personal data is one of the principles of data protection. The erasure of personal data must also be taken into account in hobby activities so that personal data is not being stored unnecessarily. As a rule, personal data may only be stored for as long as necessary.

The controller must determine how long each type of personal data must be stored and define a process for the erasure of data. If the controller does not see to the erasure of unnecessary personal data, there is a risk that data will be stored for years without a legal basis for processing. If this is the case, more personal data can also be disclosed to outsiders in the event of, for example, a data leak, than if the personal data had been appropriately erased when no longer necessary.

The format in which personal data is being processed must be taken into consideration in their storage and erasure. Participants must be informed of the storage period of personal data, or at least of the criteria used to determine the storage period. Determining storage periods and planning storage are part of the controller’s obligation to demonstrate compliance with data protection regulations.

7. Ensure the security of processing
8.1. Storage period