Data retention under EU GDPR — the storage limitation principle
The storage limitation principle in Article 5(1)(e) of EU GDPR requires personal data to be kept no longer than is necessary for the purposes for which it is processed. Without a documented retention schedule, the default in most organisations is indefinite retention — which is itself a breach. For AML-regulated firms, the conflict between AMLD4/5 retention obligations and GDPR storage limitation must be documented and resolved.
The storage limitation principle
Article 5(1)(e) requires personal data to be kept in a form permitting identification of data subjects for no longer than is necessary for the purposes for which it is processed. Organisations should define retention periods or documented criteria for each category of personal data, applied consistently. The regulation requires the ability to justify retention, not a formally prescribed period in every case. Retention purely as a precaution without documented justification is not compliant.
No universal EU retention periods
EU GDPR does not prescribe specific retention periods for most categories of data. Member state law often does — German HGB requires commercial records for six or ten years depending on type; French tax law specifies retention for accounting records; Irish employment law implies retention periods from limitation periods for employment claims. Organisations must determine appropriate periods based on EU GDPR principles, applicable member state law, professional standards, and the consequence of retaining data too long.
Building a retention schedule
A retention policy must contain a schedule mapping each data category to a defined period, the basis for that period (legal obligation, limitation period, business need), and the destruction method at the end of the period. The schedule should derive from the ROPA — every processing activity in the ROPA needs a corresponding retention entry.
AMLD4/5 retention conflict for regulated firms
EU-regulated professional services firms — accountants, lawyers, financial advisers — must retain Customer Due Diligence records for five years from the end of the client relationship under AMLD4/5 (and national implementing legislation). This directly conflicts with GDPR’s storage limitation principle. The conflict is resolved by Article 17(3)(b) — the exemption from erasure where retention is required by law. This must be documented in the retention policy, reflected in the privacy notice, and applied consistently only to CDD data. At five years, CDD data must be destroyed and the destruction recorded.
Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.