For selected purposes in a GDPR and UK-GDPR compliant privacy statement, you will need to determine the data retention period. The data retention period is specific to your selected purpose. The GDPR does not mention specific periods, but it does mention the principle of storage limitation (source: GDPR art. 5.1.e) .
This means that
- It is not allowed to keep personal data for longer than you need it.
- You might need to document (in records of processing activities) how long you keep personal data and be able to justify that retention period.
- Based on the envisaged time limits you must make sure that the different categories of data are actually erased.
- You need to inform the data subject about the data retention period. Complianz enables you to do this in the privacy statement (source: GDPR art. 13.2.a).
One of the reasons might be that you’re legally obligated to store data concerning taxes and transactions for audit purposes. In the Netherlands, for example, this is seven years. This does not mean we need to store all data for this period, but only the data that is relevant to a possible audit.
A common answer, and with reasonable justification, might be to store all data until the service is completed or terminated, plus three months for all non-relevant data to your local legal requirements. This will allow you to audit and delete all data every three months. For other data sets, you follow the requirements set by your local authorities.