When must personal data be deleted under GDPR?

We help you determine when personal data must be deleted under GDPR, for example when it is no longer needed, when consent is withdrawn or when deletion is required by law. Our team designs practical deletion routines that take into account legal obligations, objections from data subjects and the need to document ongoing deletion.

How can Morling Consulting help with personal data storage and retention?

We provide end-to-end support for personal data storage and retention, including legal analysis, development of retention principles, policies for deletion and disposal, and updates to privacy notices. Our experts also assist with audits and compliance checks to ensure your organisation’s governance of personal data is robust, documented and aligned with GDPR.

How long can personal data be kept for under GDPR?

Q: How long can personal data be kept for under GDPR?

Under GDPR, personal data may only be kept for as long as it is necessary for the specific purpose, and we help you define and document clear retention periods so that data is deleted or anonymised when the purpose ends. We ensure your routines comply with the storage limitation principle and are clearly communicated to data subjects.

Our GDPR lawyers assess the storage of personal data, retention periods and lawful basis

CONTACT US

Our services
Privacy Counsel
How long can personal data be kept for under GDPR?

What is a reasonable retention period?

Under the General Data Protection Regulation (GDPR), personal data may only be retained for as long as it is necessary for the purpose for which it was collected. This raises common questions for many organisations: how long can personal data be kept for, when must personal data be deleted, and what constitutes a reasonable retention period?

GDPR imposes strict requirements to ensure that personal data is not retained longer than necessary. The objective is to protect privacy by ensuring that personal data is not used beyond its original purpose.

Working Method for Retention and Deletion

We identify which registers and systems are covered, and which purposes actually justify retention, so the work focuses on the right amount of information.
We review which rules affect retention periods and deletion in your business, and link them to the lawful basis and information requirements toward data subjects.
We develop practical deletion routines or principles for setting retention periods, and phrase them so they can be approved internally and communicated clearly externally.
We translate the decisions into practical measures such as deletion, access control, and documentation, so retention and deletion also work in day-to-day operations.
We establish ongoing checks and a simple governance model to detect deviations, handle new purposes, and keep policies updated over time.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We identify which registers and systems are covered, and which purposes actually justify retention, so the work focuses on the right amount of information.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We review which rules affect retention periods and deletion in your business, and link them to the lawful basis and information requirements toward data subjects.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

We develop practical deletion routines or principles for setting retention periods, and phrase them so they can be approved internally and communicated clearly externally.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We translate the decisions into practical measures such as deletion, access control, and documentation, so retention and deletion also work in day-to-day operations.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

We establish ongoing checks and a simple governance model to detect deviations, handle new purposes, and keep policies updated over time.

Control storage properly

Retention periods, access and deletion often determine whether compliance is practical or theoretical. Link storage rules to your records, your contracts and your incident readiness to create a coherent whole. Click through to align documentation with operational routines.

Privacy Counsel

Data Protection Officer

Personal data breach

Data processing agreement

Hourglass on top of books and binders illustrating time limits for personal data storage and GDPR compliance.

How long can personal data be kept for: the core GDPR rule

Organisations must be able to justify their retention of personal data under GDPR. It is not permissible to retain information “in case it is needed later”. Central considerations include: how long can personal data be kept for, how long may companies retain personal data under GDPR, and the practical governance of personal data storage.

GDPR requires retention periods to be determined and documented, for example in an internal policy for processing personal data. Retention periods—or, where these cannot be set in advance, the criteria for determining them—must be available to the individuals whose personal data is processed.

To determine a reasonable retention period, organisations should consider:

The purposes for which the personal data is collected.
Legal requirements to retain certain data (for example, the Accounting Act or the Anti-Money Laundering Act).
Whether personal data storage is proportionate and governed by clear procedures.

Our team helps you establish lawful bases for storage of personal data and provides advisory support on questions such as how long can personal data be kept for.

Core GDPR requirement

GDPR: deleting personal data

The right to have personal data deleted, also known as the “right to be forgotten”, is a central part of GDPR. This means personal data must be deleted when it is no longer necessary for the purposes for which it was collected, or when the data subject so requests, provided there are no legal obligations that prevent deletion.

GDPR requires ongoing deletion of personal data. Personal data must be deleted when:

The data is no longer necessary.
Consent is withdrawn and there is no other lawful basis.
The data subject objects to processing and there are no overriding grounds to retain the data.

There are also circumstances in which deletion is not permitted, regardless of the data subject’s request. Exceptions apply where:

There are legal requirements that prevent deletion (for example, the Accounting Act or the Anti-Money Laundering Act).
The data is needed to establish, exercise or defend legal claims.

Deleting personal data at the right time is essential to comply with GDPR and other applicable legislation. Our experts help you implement processes to manage deletion correctly and ensure ongoing compliance.

Stack of digital documents above a storage box symbolizing personal data storage and GDPR-compliant deletion practices.

Disposal of personal data under GDPR

Disposal and deletion are closely related but distinct concepts. While deletion under GDPR concerns removing specific personal data, disposal is a broader concept primarily used in the public sector and in records management. Disposal may involve:

Destruction of public documents pursuant to a disposal decision.
Restricting the ability to search for and compile certain information.

Disposal decisions are often based on legislation and defined criteria, whereas deletion under GDPR primarily concerns removing personal data from systems and registers. We help ensure the correct processes for disposal and deletion are applied in line with applicable law.

Morling Consulting – clear answers to how long can personal data be kept for

Morling Consulting provides specialist expertise in GDPR and personal data handling across Europe. We help your organisation understand the rules on retention periods, deletion and disposal of personal data. Our lawyers ensure your procedures for how long can personal data be kept for align with GDPR requirements.

Our services include:

Advisory support on personal data storage and retention.
Implementation of GDPR-compliant deletion routines.
Drafting internal policies for processing personal data.
Preparing information for data subjects, for example a privacy notice.
Audits and compliance reviews.

Contact Morling Consulting today for robust, compliant personal data governance under GDPR. We ensure your organisation works proactively and correctly with storage of personal data, disposal and deletion.

Under GDPR, personal data may only be kept for as long as necessary for the specific purpose for which it was collected. This means that:

Organisations must have a documented retention period.
It is not permitted to keep data “just in case”.
When the purpose ends, the data must be deleted or anonymised.

Retention periods are driven by business needs and legal obligations. Key factors include why the personal data was collected, whether there are legal duties—such as the Accounting Act, employment law or the Anti-Money Laundering Act—and what information was provided to data subjects at collection.

Personal data must be deleted when:

It is no longer needed for the purpose it was collected for.
The data subject withdraws consent.
The data subject objects to processing and there are no legitimate grounds to continue.
Deletion is required by law.

No. GDPR requires personal data storage only for as long as there is a clear purpose. Retaining data “just in case” or “for future use” is not permitted unless there is a lawful basis for doing so.

Deletion means removing personal data from systems, registers and databases in line with GDPR. Disposal is a broader concept, mainly used in the public sector, and means information is destroyed, archived or made inaccessible, often based on legal requirements or internal decisions.

We support you end-to-end, including:

Legal analysis of your current routines.
Development of retention principles and documentation.
Implementation of policies for storage of personal data, disposal and deletion.
Support with compliance checks and audits.

Organisations must demonstrate compliance with the storage limitation principle. This is achieved by:

Documenting retention periods in internal policies or records of processing activities.
Creating a clear link between each data type and its purpose.
Describing how and when deletion takes place.

Yes. Under GDPR’s transparency principle, organisations must inform data subjects how long their personal data will be retained. Where an exact period cannot be specified, the criteria used to determine the retention period must be described.

Retaining personal data longer than necessary breaches GDPR and can have serious consequences. It may lead to supervision by the Swedish Data Protection Authority (IMY), a risk of administrative fines, and damaged trust from customers and partners. We can help you mitigate these risks by establishing clear routines and providing legal advice.

Examples include:

Developing a policy for storage and deletion of personal data.
Reviewing which data may be retained and for how long, based on legislation and business needs.
Updating information provided to data subjects, for example in a privacy notice.
Reviewing how the right to deletion is handled in practice.

Contact

Felix Morling

Speak to a GDPR lawyer

Do you need to assess the storage of personal data or retention periods? Contact us to discuss

"*" indicates required fields