The Principle of Storage Limitation
Article 5(1)(e) of the GDPR
Summary of the GDPR Principle
The Principle of Storage Limitation according to GDPR
The principle of storage limitation is one of the seven basic data protection principles of the GDPR. A company must adhere to all seven data protection principles. The principle of storage limitation means that a company can store personal data for as long as it is necessary to achieve the purpose of the processing.
The Principle of Storage Limitation
It is important that the purpose is specific and concrete. In addition, the company shall delete the personal data when they are no longer necessary for the purpose. Alternatively, the company can anonymize personal data instead. Article 5(1)(e) of the GDPR regulates this principle. It is therefore important that the company implements internal procedures for the erasure of personal data. Including regular checks of stored personal data.
Please note that the company must also comply with the other basic data protection principles, such as the Data Protection Principle of Data Minimization.
What does the Principle of Storage Limitation mean?
The principle of storage limitation is one of the seven basic data protection principles of the GDPR. A company must adhere to all seven data protection principles. The principle of storage limitation means that a company can store personal data for as long as it is necessary to achieve the purpose of the processing.
It is important that the purpose is specific and concrete. In addition, the company shall delete the personal data when they are no longer necessary for the purpose. Alternatively, the company can anonymise personal data instead. Article 5(1)(e) of the GDPR regulates this principle. It is therefore important that the company implements internal procedures for the erasure of personal data. Including regular checks of stored personal data.
Retention period of personal data under the principle of storage limitation
In the GDPR, there is no exact timeframe regulated as to how long a company may process personal data. Instead, all companies that are data controllers must decide for themselves. This can be done my analyzing how long the personal data need to be processed to achieve the purpose.
If the relationship between the company and data subjects has ended, and the company still wants to process their personal data, the company must be able to justify this. A company is not allowed store personal data “just because it may be useful to have in the future”.
Other laws may affect the retention period, not only the principle of storage limitation
It is important to keep in mind that there may be other laws that regulate how long certain personal data shall be retained. Retention periods are thus not only regulated by the principle of storage limitation. There are situations where the company needs to continue storing the personal data, even if the company no longer needs to use it.
Bookkeeping and accounting
Companies in most countries must store invoices and receipts for a certain number of years under the national Accounting Act. A company may not delete such material which may contain personal data. In this case, the storage takes place on the basis of a legal obligation. Article 6(1)(c) of the GDPR stated this legal basis. The company shall store the documents in a secure manner. In addition, the documentation shall be separate from the day-to-day operations, so that it is not too easily accessible. For example, the company can archive the documentation separate it from other documents processed in the day-to-day operations.
Remember that the company must take appropriate security measures to protect the personal data. This requirement applies throughout the period for which the company stores the personal data. It is permissible to store personal data as long the law requires it, pursuant to the principle of storage limitation.
Consumer's right of complaint
Another example of a statutory obligation, which may affect the retention period, is the consumer’s right of complaint. Within the EU, consumers have at least two years’ right of complaint regarding products. A company should store information about a completed consumer purchase for at least two years. This way, the company can handle customer complaints made within this period. When the right of complaint expires, the company can delete the personal data. This applies provided the personal data are no longer necessary to process for this purpose.
A company in Finland had to pay a fine because for not setting a retention period. This is against the principle of storage limitation.
The Finnish data protection authority imposed a fine on a company. The company in question had not set a specified storage period for its customers’ personal data. They stored the data indefinitely. In addition, customers had to create an account on the company’s online store in order to shop there. This was regardless of whether the customer had only made a single purchase. It was therefore not possible to complete a purchase through the website without a registered account.
The company kept customers’ personal data for as long as they kept their account. In order for the customer to have their personal data deleted, the customer had to delete their account. The company said that it was up to the customer to decide when they wanted to delete it. Therefore, the company had not set a specific storage period.
The Finnish data protection authority concluded that this was not a valid justification. A company shall not place the responsibility for determining the retention period of the personal data on the data subject. The company shall not require the customer to register an account in order to make the purchase on the website. Creating an account shall be voluntary, not mandatory.
Anonymise personal data instead of deleting it
A company does not necessarily have to delete the personal data when it is no longer needed for the purpose it was collected for. Even if this main rule stems from the principle of storage limitation. Instead, the company can anonymise them. When personal data is anonymised, it is no longer considered as “personal data”. Rather, only as “data”. Anonymous data can no longer be linked to a living individual. Therefore, anonymized data is not covered by the GDPR.
For example, it may be useful to anonymise data if a company wants to save statistics that are not dependent on personal data. It may be that the company wants to see how many of those who buy their products or services are men or women. Then the company can anonymize the buyer’s personal data and only keep information about the gender.
Please note that the process of anonymization itself constitutes a processing of personal data. That is a processing which must be conducted in accordance with the GDPR.
Processing personal data without a new legal basis for a purpose other than the original one
According to the general rule of the GDPR, a company should only use personal data for the purpose for which it was collected. However, there are some exceptions to this. In some cases, the personal data may be processed for a different purpose than the original one, without the need for a new legal basis for the processing. However, this is only possible if the new purpose is compatible with the original purpose.
For example, a company may collect personal information to deliver a product or manage its customer relationships. If the company subsequently wants to use the same personal data for something else, such as analytics or marketing, the company must assess whether the new purpose is compatible with the original purpose.
If the new purpose is unexpected for the data subjects or completely unrelated, the company must have a separate legal basis for the processing. Alternatively, obtain the data subject’s new consent to the new processing.
Analyze the new purpose and document the assessment
The company needs to analyse whether the new purpose is compatible with the original one, by evaluating different aspects. These include:
- connection between the new and original purpose and how closely they are related to each other;
- reasonable expectations of the data subject regarding the use of their personal data for the new purpose;
- nature and sensitivity of the personal data;
- safeguards the company implements and whether they are sufficient to protect personal data.
The company must document this assessment and analysis in writing. Furthermore, the company shall also:
- present the documentation to the supervisory authority upon their request.
- inform the data subjects about the processing of their personal data.
- take the necessary technical and organizational safeguards to protect the personal data.
Exceptions in the GDPR allow companies to process personal data for purposes other than those originally intended, even if the purposes are not compatible
In some cases, it is permissible for a company to process personal data for purposes other than those originally intended. This applies in some cases even if the purposes are not compatible. The purpose of these exceptions is to balance, on the one hand, the protection of public interest or other overriding interests and, on the other hand, the personal data of the data subject.
The exceptions under recital 50 of the GDPR include the following:
- archiving of personal data in the public interest;
- research purposes that are historical or scientific;
- statistical purposes; However, that this may only be done for statistical purposes, provided that the company has taken sufficient organizational and technical security measures.
If the company process the personal data under one of the above-mentioned exceptions, the company may continue to store the personal data.
Other data protection principles
The Principle of Integrity and Confidentiality
A company must take adequate organisational and technical security measures to protect the personal data it processes. It is important to bear in mind that the company only “borrows” the personal data of the data subjects and must take good care of it. The company must carry out all personal data processing in a safe and confidential manner. This means that the company must analyze any personal data breaches and how they can protect themselves against such incidents. In addition, companies should implement internal procedures for how they should act if this occurs.