Storage limitation
Storage limitation (Article 5(1)(e)) means personal data must not be kept longer than necessary for the purpose; once no longer needed, it must be securely deleted or anonymised. Controllers should set retention periods, check for statutory retention requirements, and define a data retention policy with controls (including deleting from backups and third-party clouds). An exception allows longer storage solely for archiving in the public interest, scientific/historical research or statistical purposes. Irreversibly anonymised data may be kept indefinitely.
Article 5(1)(e): data must be kept in a form permitting identification for no longer than is necessary. Once the purpose is met, securely delete or anonymise. Set internal retention periods when the law is silent, and review them as the legal landscape changes.
| Step | What the controller does |
|---|---|
| Identify purpose(s) | Limit keeping to the period the data is actually needed |
| Check the law | Apply any statutory retention periods (tax, health & safety, employment) - including local laws for global orgs |
| Law silent? | Set internal retention periods; document in a data retention policy |
| Enforce deletion | Controls so data is actually deleted - including from backups and third-party clouds |
| Review | Regularly update the policy; delete or anonymise once periods expire |
Data may be stored longer only when processed solely for archiving in the public interest, scientific/historical research, or statistical purposes. Otherwise, indefinite retention is permitted only where data is irreversibly anonymised.
Once recruitment ends, data of unsuccessful candidates must not be kept - unless the candidate consents to remain in the database for future roles. This is storage limitation, not data minimisation.