How long can personal data be stored?


The GDPR Regulation on the protection of personal data has significantly changed the mode of obtaining and storing data relating to natural persons. Personal data held by entrepreneurs is subject to specific regulations and rules. According to the regulations, they cannot be stored indefinitely.

Data storage is kept to a minimum

The provisions of the GDPR Regulation introduce a definition of personal data, according to which it is all data that identifies a natural person or enables such identification. They are not limited only to the name and surname, address, PESEL number or ID card number - they also include image, membership in a trade union, ethnic origin or worldview beliefs. Contrary to popular belief, the GDPR protects not only natural persons, but also business entities, if their data contain information relating to natural persons (e.g. a partnership containing the names of partners in its name or a company registered at the address of one of the partners).

Recital 39 of the GDPR (extracts)
"Any processing of personal data should be lawful and fair. It should be transparent to natural persons that their personal data is collected, used, consulted or otherwise processed and to what extent this personal data is or will be processed. ..) Individuals should be made aware of the risks, principles, safeguards and rights related to the processing of personal data and how to exercise their rights in connection with such processing. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the storage period is kept to a strict minimum. Personal data should only be processed in cases where the purpose of the processing cannot be reasonably achieved by other means keep personal data longer than necessary, the controller should set a date for their deletion or periodic review. All reasonable steps should be taken to rectify or delete personal data that is inaccurate. (...) "

The recitals of the GDPR Regulation contain general principles that should be followed by entities processing personal data. The most important of them is the minimum - the entrepreneur should collect from his clients, employees and contractors only the data that is actually necessary to achieve the purpose for which they are obtained (e.g. execution of the client's order, employment of an employee, establishing business cooperation with another entity). The provisions of the GDPR do not specify the exact scope of data or the exact methods of their protection - each data controller must independently decide which measures will be most appropriate for his business and adapt the security to his needs.

The minimum rule also applies to the period of storage of personal data. The provisions of the GDPR do not directly impose the exact time, only indicating that this period should be limited to the "strict minimum". Article 5 (1) 1 lit. e of the GDPR Regulation - Rules for the processing of personal data
"Personal data must be:
kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for a longer period as long as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. Provided that the appropriate technical and organizational measures required by this Regulation are implemented to protect the rights and freedoms of data subjects ("storage limitation"). "

How long can personal data be stored?

The indications contained in the recitals of the GDPR Regulation have been specified in the provision of Art. 5 sec. 1 lit. e - in accordance with the provision cited, personal data within the meaning of the GDPR Regulation (i.e. all data relating to natural persons) may be stored only for the period necessary to fulfill the purposes for which they were collected. Again, as in the case of the scope of data and measures to protect them, the GDPR Regulation does not impose a specific period of storage of personal data and does not indicate a limit in months or years - each data controller must independently decide how long the data downloaded by him will be stored. This period must be minimal - the processor cannot store them for decades or even indefinitely. The data controller may not include information in consents or information clauses that the data will be stored indefinitely - such a clause will not have the intended legal effect. Violation of the regulations regarding the principle of limited storage, especially in the case where the entrepreneur will not be able to indicate the reason for the excessively long storage period, may result in the imposition of a financial penalty on the data controller.

Start a free 30-day trial period with no strings attached!

The determination of the correct duration of personal data storage is also influenced by other factors - first of all, possible special provisions (i.e. resulting from other acts, for example from the provisions of the Accounting Act, regarding the minimum period of storage of accounting books). In each case, the entrepreneur should pay attention to the provisions of the Civil Code regarding the limitation of claims. Due to possible court proceedings, the data should be stored for the period necessary until the expiry of the limitation period for the claims of their administrator and against the data administrator. In the case of the vast majority of entrepreneurs, this period will be three years.

Example 1.

Jan Nowak runs an online store. In order to fulfill orders placed by customers, it obtains from them the data necessary to complete the transaction and send the order to their address. It should not store the data obtained in this way for a period of 10 or 15 years - the most appropriate period of data storage in this case would be three years counted from the moment the contract was performed.

The data controller should remember that the period of data storage must correspond to the protection measures that the entrepreneur is obliged to introduce to ensure data security.

After the expiry of the data storage period, their administrator is obliged to delete them - in this case, this will mean removing them from all systems and media that the entrepreneur uses to store them. Important!
According to the principle of limited storage, the data controller cannot store the collected data indefinitely. The period of data storage should be adapted to the purposes for which they were collected.

The only exception resulting from the GDPR regulation concerns the storage of data for the purposes of:

  • archival (only in the public interest);

  • scientific or historical research;

  • statistical.

In such cases, personal data may be kept for longer than the "minimum" period, although this information should still not be kept indefinitely or indefinitely. At the same time, the data controller is then obliged to provide additional technical and organizational measures to ensure the appropriate level of security of the stored data and to ensure the protection of the rights and freedoms of the persons concerned. Attention!
If the basis for the collection and storage of personal data is the consent of a natural person, its revocation will require the data controller to delete data from its database, regardless of the period set by the data controller for the storage of information.

How long can personal data collected before May 25, 2018 be kept?

With regard to data obtained by the data controller before May 25, 2018, i.e. before the date of entry into force of the GDPR, each entrepreneur must consider whether they were collected in accordance with the rules set out in the currently applicable regulations. If the entrepreneur has acquired more data than necessary, the most appropriate solution would be to delete it. If the data owner has not consented to the collection and storage of the data, the data controller should ensure that the appropriate consent is obtained or possibly updated. Data collected before the above-mentioned date should not be stored indefinitely - the administrator must adjust the period of their storage to the new rules.