View the publication here.

The General Data Protection Regulation (the “GDPR”), has been approved by the European Parliament on 14 April 2016 and entered into force on the 25 May 2018. The GDPR replaced Directive 95/46 EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The GDPR has been implemented by the European Parliament to make Europe more fit for the digital age, and protect private data across and beyond European borders. The GDPR subjects data retainers to limitations in relation to private data of

This article is a continuation of "The General Data Protection Regulation: Key Changes."


The implementation of the GDPR impacted businesses and individuals across the European Union (the “EU”) and beyond, the implementation of the regulation extends further than the borders of the EU itself. The GDPR seeks to strike the right balance between the business needs and the privacy rights of the individual.

Organisations are required by the GDPR to be more considerate and adequate in collecting, retaining or deleting personal data. The GDPR requires data controllers and data processors to maintain transparency, proportionality and consent at all times whilst handling personal data of an individual from collection up until deletion and erasure of the recorded data.

What is Data Retention?

When personal data is collected in accordance with Article 5 (e) of the GDPR, it must only be for

  • Article 4 of the GDPR : ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the purposes that are “adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed”. At the time of collection of data, the data controller 1  is under the obligation of informing the data subject:
  • what data is being collected;
  • the purpose for which the data is being collected; and
  • the period for how long the data will be retained by the data controller.

The GDPR gives prominence to data being only retained for as long as it is required to achieve the purpose for which the data was collected initially. This GDPR principle is of utmost importance as it helps the protection against the abuse and misuse of personal data. Each and every organisation who either processes or collects data, must always be in a position to prove how the data was collected, for which such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; purpose and for how long the data shall be retained. Failure to provide such information could potentially
result in a data breach.

Recital 39 of the GDPR, specifically obliges organisations and data controllers, to establish within their organisation strict time limits to ensure that data collected is not kept for longer than it is strictly necessary. Periodic reviews of the collected and controlled data is required in order to ensure that the data is securely erased when it is no longer required.

The GDPR establishes rules and regulations in relation to data retention because the longer data is kept on record, and in the event of a data breach there is a greater potential of a breach of personal data. Organisations must establish a legitimate interest to show that it is in their best interest to store the data for a stipulated time period. After the stipulated time frame has expired, the data should be erased accordingly.

KYD – Know Your Data

Article 30 of the GDPR holds that organisations must maintain a record of processing activities under their own responsibility. The GDPR does not dictate any retention periods for how long data should be kept, however states that personal data should be kept in a form that permits the identification of an individual for no longer than necessary for the purposes of which it is being processed. Therefore, the GDPR does not specify the periods for how long data should be kept, it otherwise bears upon organisations and legal persons the responsibility of establishing a legitimate interest for the period of how long the record of such data processing activities shall be deemed necessary.

In establishing the period of time for how long the data shall be kept, organisations need to assess the data that they have under their control to establish the legitimate interest that they have in relation to the data retained. If there is a legitimate interest, organisations may retain data for as long as they may legitimately require it.

Legitimate Interest

Measures taken by organisations must be proportional to the data recorded in order to establish the legitimate interest. Article 6(1) of the GDPR provides for a lawful basis for processing where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in particular where the data subject is a child.”

Interest may vary from the organisation’s own interest, interests of third parties to commercial interests. Legitimate interest cannot always be relied upon, because in the eventuality that the individual’s interests overriding those of the organisation, then it would be harder to prove such interest.


One thing which must be kept in mind is that the right to erasure isn't absolute nor it is unlimited. The removal or deletion of data and the right to be forgotten needs to be balanced against the freedom of information and the public interest.

Exceptions to the right to erasure:

  • freedom of expression and information;
  • compliance with legal obligations or official authorities;
  • public health reasons;
  • public interest, scientific research, historic research or statistical analysis; and
  • legal claims.

The biggest challenge in relation to the right to erasure remains that the onus is on controllers to prove their very own rights and interests in relation to the data collected and retained.

Data Recording

The GDPR holds that a data record shall necessarily contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The data controller or the data processor shall make the record available to the supervisory authority on request. Not keeping such record constitutes a breach of the GDPR.


The GDPR left an impact starting from the biggest organisations to the smallest businesses. Every data controller is under the obligation of drafting a data protection policy which includes several vital information amongst which is the data retention period. When a data subject asks for his/her personal data to be removed, organisations must be able to evaluate the legal obligations of record keeping, and evaluate whether there is legitimate interest or not. It is always best to adapt the required policies and procedures rather than mitigating a data breach.

Celaine Vella
Celaine Vella