How long can personal data be stored under GDPR?

How long should personal data actually be kept? It is one of the most common questions European businesses face when applying the GDPR. The answer is not always simple, but the starting point is clear: only for as long as it is necessary for the purpose, and no longer. This article explains what the law requires, how to assess a reasonable retention period, and how the distinction between deletion and terminating processing for a given purpose affects the legal position.

What does GDPR say about retention time and the storage limitation principle GDPR?

The GDPR states that personal data must not be kept longer than necessary for the purpose for which the data was collected (Article 5(1)(e)). This directly reflects the storage limitation principle GDPR and protects individuals’ privacy.

In practice, every processing activity must have a defined and documented retention period — or clear criteria for determining it. It is not permissible to keep personal data “just in case” or “in case it is useful later”.

GDPR retention policy and the legal basis (Article 6 GDPR lawful basis)

All processing of personal data must rely on an Article 6 GDPR lawful basis. This influences how long data may be retained. For example:

• Contract: Data may be retained for as long as needed to perform the contract—no longer.
• Legal obligation: Where another law requires retention (for example, bookkeeping or anti-money laundering law), data may be kept in line with those requirements.
• Legitimate interests: Once the balancing test no longer holds, the data must be deleted.

The lawful basis, together with the purpose, determines what retention can be justified in each case and should be reflected in a GDPR retention policy or a data retention schedule GDPR.

“Necessary for the purpose” — how to assess necessity

Assessing what is “necessary” is a legal and practical judgement made case by case. Factors to consider include:

• The specific purpose for which the data was collected.
• How long that purpose remains relevant.
• Whether the purpose ceases for some parts of the information.
• Whether other law requires continued retention.

It is also important to distinguish between ending processing for a specific purpose and actually deleting the data. Sometimes it is sufficient to cease processing for a given purpose—for example, by moving the data to a segregated archive with restricted access or by otherwise limiting processing.

Internal policies, documentation and Article 30 record of processing

Under the GDPR, the controller must document applicable retention periods, or the criteria for setting them. This should be achieved through:

• Records of processing under Article 30 record of processing.
• Clear explanations in the privacy notice for data subjects.

A policy can support restriction, deletion or disposal (gallring) of personal data in the way the company has determined. It should focus on how, when and by whom these actions occur—both technically and organisationally—and reflect the data minimisation principle GDPR.

Disposal, deletion and the right to be forgotten GDPR

It is essential to distinguish between disposal of personal data and deletion—related but legally distinct concepts:

• Disposal (gallring) is often used in the public sector and means removing data or making it inaccessible under predefined rules when it is no longer needed.
• Deletion refers to an individual exercising the right to have data erased, for example under Article 17 GDPR—the right to be forgotten GDPR (what is the right to be forgotten?).

Note that data does not always have to be erased as soon as one purpose ends—if there is another purpose and a valid lawful basis (for example, a legal obligation) that requires continued retention. Processing must then be restricted to the remaining purpose. Although individuals can request deletion, this applies only where there are no overriding legal obligations to retain.

How other laws affect retention periods

The GDPR sets no absolute retention periods; it refers to what is necessary in relation to the purpose. If another law requires personal data to be kept for a specified time, that constitutes a legal obligation under Article 6(1)(c) GDPR and is a valid reason to retain data.

It can therefore be permitted—and sometimes mandatory—to retain data longer than would otherwise be proportionate under the GDPR, provided another law requires it. In Sweden, examples include:

• Swedish Bookkeeping Act (1999:1078) — requires that accounting information, which may include personal data, is kept for at least seven years after the end of the financial year.
• Swedish Anti-Money Laundering Act (2017:630) — requires customer due diligence information and documentation of business relationships to be retained for five years after the customer relationship ends.
• Swedish Work Environment Act and employment law — may require records of workplace injuries, employment conditions and similar to be kept for longer—sometimes up to ten years or more.

These external requirements must be identified and clearly documented in the organisation’s GDPR compliance materials. In practice, the same personal data may be processed for multiple purposes and under different lawful bases, with different retention periods. Each processing operation must be isolated and assessed against its respective basis.

Organisations that fail to follow sector-specific retention duties—believing that the GDPR mandates immediate deletion—risk non-compliance outside data protection. Conversely, keeping data without a valid purpose under other law risks breaching the data minimisation principle GDPR and storage limitation principle GDPR.

Practical recommendations and your GDPR retention policy

Establishing a lawful basis is not enough—organisations must demonstrate that they apply storage limitation in practice. To ensure GDPR-compliant retention, organisations should:

1. Map all categories of personal data and their purposes.
2. Define retention periods or criteria for determining them (for example, via a GDPR retention policy or a data retention schedule GDPR).
3. Implement technical solutions for automated disposal where appropriate.
4. Train staff on retention principles, deletion and disposal.
5. Inform data subjects of retention periods via the privacy notice.
6. Consider archiving where immediate deletion is not appropriate.
7. Ensure the right to erasure can be executed without undue delay.

Review these routines regularly, especially when purposes, technology or legal requirements change. New processing purposes may require existing retention periods to be reconsidered, and legislative changes may require faster retention or deletion. A proactive review supports legal compliance and builds trust with data subjects and stakeholders.

Morling Consulting’s support

At Morling Consulting, our GDPR lawyers help organisations across Europe understand and apply the GDPR’s retention requirements—from analysing lawful bases to setting retention periods and implementing disposal routines.

Want to ensure your processing of personal data aligns with the GDPR without unnecessary risk? Contact us for legal advice that meets regulatory expectations and is practically deliverable.