How long can personal data be kept for under GDPR?

What is a reasonable retention period?

Under the General Data Protection Regulation (GDPR), personal data may only be retained for as long as it is necessary for the purpose for which it was collected. This raises common questions for many organisations: how long can personal data be kept for, when must personal data be deleted, and what constitutes a reasonable retention period?

GDPR imposes strict requirements to ensure that personal data is not retained longer than necessary. The objective is to protect privacy by ensuring that personal data is not used beyond its original purpose.

Hourglass on top of books and binders illustrating time limits for personal data storage and GDPR compliance.

How long can personal data be kept for: the core GDPR rule

Organisations must be able to justify their retention of personal data under GDPR. It is not permissible to retain information “in case it is needed later”. Central considerations include: how long can personal data be kept for, how long may companies retain personal data under GDPR, and the practical governance of personal data storage.

 

GDPR requires retention periods to be determined and documented, for example in an internal policy for processing personal data. Retention periods—or, where these cannot be set in advance, the criteria for determining them—must be available to the individuals whose personal data is processed.

 

To determine a reasonable retention period, organisations should consider:

  • The purposes for which the personal data is collected.
  • Legal requirements to retain certain data (for example, the Accounting Act or the Anti-Money Laundering Act).
  • Whether personal data storage is proportionate and governed by clear procedures.

Our team helps you establish lawful bases for storage of personal data and provides advisory support on questions such as how long can personal data be kept for.

Core GDPR requirement

GDPR: deleting personal data

The right to have personal data deleted, also known as the “right to be forgotten”, is a central part of GDPR. This means personal data must be deleted when it is no longer necessary for the purposes for which it was collected, or when the data subject so requests, provided there are no legal obligations that prevent deletion.

GDPR requires ongoing deletion of personal data. Personal data must be deleted when:

  • The data is no longer necessary.
  • Consent is withdrawn and there is no other lawful basis.
  • The data subject objects to processing and there are no overriding grounds to retain the data.

There are also circumstances in which deletion is not permitted, regardless of the data subject’s request. Exceptions apply where:

  • There are legal requirements that prevent deletion (for example, the Accounting Act or the Anti-Money Laundering Act).
  • The data is needed to establish, exercise or defend legal claims.

Deleting personal data at the right time is essential to comply with GDPR and other applicable legislation. Our experts help you implement processes to manage deletion correctly and ensure ongoing compliance.

Stack of digital documents above a storage box symbolizing personal data storage and GDPR-compliant deletion practices.

Disposal of personal data under GDPR

Disposal and deletion are closely related but distinct concepts. While deletion under GDPR concerns removing specific personal data, disposal is a broader concept primarily used in the public sector and in records management. Disposal may involve:

  • Destruction of public documents pursuant to a disposal decision.
  • Restricting the ability to search for and compile certain information.

Disposal decisions are often based on legislation and defined criteria, whereas deletion under GDPR primarily concerns removing personal data from systems and registers. We help ensure the correct processes for disposal and deletion are applied in line with applicable law.

Morling Consulting – clear answers to how long can personal data be kept for

Morling Consulting provides specialist expertise in GDPR and personal data handling across Europe. We help your organisation understand the rules on retention periods, deletion and disposal of personal data. Our lawyers ensure your procedures for how long can personal data be kept for align with GDPR requirements.

Our services include:

  • Advisory support on personal data storage and retention.
  • Implementation of GDPR-compliant deletion routines.
  • Drafting internal policies for processing personal data.
  • Preparing information for data subjects, for example a privacy notice.
  • Audits and compliance reviews.

Contact Morling Consulting today for robust, compliant personal data governance under GDPR. We ensure your organisation works proactively and correctly with storage of personal data, disposal and deletion.

FAQs: how long can personal data be kept for

Under GDPR, personal data may only be kept for as long as necessary for the specific purpose for which it was collected. This means that:

  • Organisations must have a documented retention period.
  • It is not permitted to keep data “just in case”.
  • When the purpose ends, the data must be deleted or anonymised.

Retention periods are driven by business needs and legal obligations. Key factors include why the personal data was collected, whether there are legal duties—such as the Accounting Act, employment law or the Anti-Money Laundering Act—and what information was provided to data subjects at collection.

Personal data must be deleted when:

  • It is no longer needed for the purpose it was collected for.
  • The data subject withdraws consent.
  • The data subject objects to processing and there are no legitimate grounds to continue.
  • Deletion is required by law.

No. GDPR requires personal data storage only for as long as there is a clear purpose. Retaining data “just in case” or “for future use” is not permitted unless there is a lawful basis for doing so.

Deletion means removing personal data from systems, registers and databases in line with GDPR. Disposal is a broader concept, mainly used in the public sector, and means information is destroyed, archived or made inaccessible, often based on legal requirements or internal decisions.

We support you end-to-end, including:

  • Legal analysis of your current routines.
  • Development of retention principles and documentation.
  • Implementation of policies for storage of personal data, disposal and deletion.
  • Support with compliance checks and audits.

Organisations must demonstrate compliance with the storage limitation principle. This is achieved by:

  • Documenting retention periods in internal policies or records of processing activities.
  • Creating a clear link between each data type and its purpose.
  • Describing how and when deletion takes place.

Yes. Under GDPR’s transparency principle, organisations must inform data subjects how long their personal data will be retained. Where an exact period cannot be specified, the criteria used to determine the retention period must be described.

Retaining personal data longer than necessary breaches GDPR and can have serious consequences. It may lead to supervision by the Swedish Data Protection Authority (IMY), a risk of administrative fines, and damaged trust from customers and partners. We can help you mitigate these risks by establishing clear routines and providing legal advice.

Examples include:

  • Developing a policy for storage and deletion of personal data.
  • Reviewing which data may be retained and for how long, based on legislation and business needs.
  • Updating information provided to data subjects, for example in a privacy notice.
  • Reviewing how the right to deletion is handled in practice.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields