One of the recurring situations found within companies is the lack of a data retention period or retention periods that are not clearly established, despite what was already required by the law No. 78-17 of 6 January 1978 on data processing, files and freedoms and Directive 95/46/EC.
From now on, practices will have to change considering one of the main principles of the GDPR, established in Article 5 [1], is the principle of limiting retention period. This principle [2] states that data must be kept in a form which allows the identification of the person for no longer than is necessary for the purpose of the processing.
For example, it is not necessary to keep the CV of an unsuccessful applicant who will not be offered any other position : the purpose being the recruitment, if the applicant is not and will not be selected for any job, it is no longer necessary to keep his/her CV (Do you keep business cards of people whose activities do not interest you and whom you will never call back? Q.E.D).
The principle is quite straightforward: the duration of data retention must be limited to the strict minimum. Therefore, once the purpose of the processing operation for which the data have been collected has been achieved, it is no longer necessary to keep the data. In many cases, retention periods are set numerically by a regulatory act or according to the recommendations of a data protection authority. But it is also possible that this duration is not defined numerically but according to a factual situation (e.g. retention of data for the duration of the business relationship or the duration of the operation).
It is therefore up to the controllers, before setting a storage period, to ensure that a legal provision has not preceded them on this point (Dura lex sed lex).
When to delete the data?
The principle is simple, it is necessary to delete the data:
Nevertheless, like Albert Einstein who demonstrated that time was relative, the same applies to the length of time the data are kept and therefore when they are deleted. Indeed, the data life cycle may evolve depending on the specific situation.
It may be possible, or even compulsory for the controller, not to delete the data immediately at the end of the data storage period, if the situation allows it.
What are these situations where it is possible to extend the data retention period?
Several exceptions allow data to be retained beyond the original retention period:
Additional situations may justify the retention of data by the controller. Indeed, beyond the exceptions provided for by law, the CNIL has recognised the possibility of storing data in certain circumstances, subject to appropriate safeguards.
What are the possible storage options once the purpose has been achieved so that the data is not deleted immediately?
In its deliberations, the CNIL distinguished several levels of archiving [8][9]:
The first level is active database archiving: it is the storage of data in a database currently used and available to operational staff to carry out their daily tasks. In this case, the data are kept because they fulfil a specific purpose set by the controller and based on a legal basis (for example: provide a service or good under the performance of a contractual measure, contact the person because he or she has consented to it, etc.).
The second level is intermediate archiving: this is the case where the data are no longer necessary because the purpose for which they were collected has been achieved or no longer exists, but there is still a need for the controller to keep them, in particular in consideration of certain “administrative interests”. These “administrative interests” are to be understood as the interest of the controller in complying with a legal obligation and/or defending himself from litigation/ asserting a right. Indeed, for reasons related to evidentiary matters, the storage period of certain data may be extended up to the limitation periods applicable in the relevant field(s) (civil, fiscal, commercial, etc…).
An example is the financial data of a customer in the context of a purchase online. In this context, the purpose of collecting and processing the buyer’s bank details is to make the payment for the purchase. In principle, therefore, data should only be kept for the time necessary for the payment transaction. However, for reasons of proof in the event of disputes about payment, it is possible (and legitimate) for the controller to keep the bank details for 13 months and this additional archiving will be done on an intermediate database (the limitation period for these actions being 13 months [10]).
Be careful, only those data that are strictly necessary for the purpose of intermediate archiving should be kept. Thus, a selection must be made by the controller between the archived data and those that will be deleted because they are not necessary to protect themselves from litigation. In addition, once the limitation period has expired, the archived data should be deleted if the objective was to avoid litigation.
Permanent archiving: This refers to data whose nature justifies that they should not be destroyed. To fall into this category, the archiving in question must be in the “public interest” or of statistical, historical or scientific interest. These archives are managed by the “territorially competent archives services” and fall under the Heritage Code [11].
At the end of the initial storage period or when archiving for administrative purposes is no longer necessary, the data should be permanently deleted. There are two solutions: outright deletion or anonymization.
The GDPR provides a definition of anonymous data [12]. By definition, anonymous data is:
Attention, if the anonymised data are outside the application of the GDPR, the anonymisation operation is on the other hand considered as a data processing operation.
How to determine if an anonymization process is effective?
According to G29[13], the effectiveness of anonymisation is measured by taking into account the possibility for the controller to identify the person by having recourse to all means likely to be reasonably implemented.
In addition, there are three other cumulative criteria for assessing the effectiveness of an anonymization technique:
Thus the data life cycle can be divided into several phases. The data are assigned storage periods for the purposes for which they are collected, but it will also be possible or mandatory to extend the time for their deletion depending on the situation.
1],[2], [3] Article 5.e of the Regulation (EU) 2016/679 of the european parliament and of the council of 27 april 2016.
[4] Article 6.4 of the Regulation (EU) 2016/679 of the european parliament and of the council of 27 april 2016.
[5] Article 40-1 II of law No. 78-17 of 6 January 1978 on data processing, files and freedoms.
[6] Article L34-1 V of the postal and electronic telecommunications code.
[7] Article L34-1 V of the postal and electronic telecommunications code.
[8] Deliberation No. 88-52 of 10 May 1988 adopting a recommendation on the compatibility between laws No. 78-17 of 6 January 1978 on data processing, files and freedoms, and No. 79-18 of 3 January 1979 on archives.
[9] Deliberation No. 2005-213 of 11 October 2005 adopting a recommendation on the procedures for the electronic archiving of personal data in the private sector.
[10] Article L133-27 of the Monetary and Financial Code.
[11] Article L211-1 et seq. of the Heritage Code.
[12] Recital 26 of the Regulation (EU) 2016/679 of the european parliament and of the council of 27 april 2016.
[13] Opinion 05/2014 on anonymization techniques of the Article 29 Data Protection Working Party.