Guide: Retention Policy

Generally, an organisation will have a single retention policy which incorporates any regulation-specific requirements. The following should be considered when updating your organisation’s retention policy with the GDPR’s requirements.

Introduction (or Policy Statement)

Through its principle of ‘storage limitation’ the GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes.

‘Storage limitation’ must be considered together with the provision commonly called ‘the right to be forgotten’. The GDPR states that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.


This policy applies to all personal data in whatever form whether digital or physical that is collected, used, transferred, stored or deleted by our organisation.

This policy applies to all our employees, contractors and processors who may be processing personal data on behalf of our organisation


personal data; special category data; restriction of processing; pseudonymisation; filing system; processor; information owner


Information owners shall take full responsibility for guiding and managing the lifecycle of relevant personal data.

Consider that you may need to:

Identify all instances where personal data is retained.

Confirm that the proper lawful basis for processing is applied.

Confirm that the retention periods are valid.

Confirm that the appropriate safeguards are in place for any personal data that is archived.

Confirm that the records are covered in the disposal/destruction policy and procedure.

Associated Documents

Retention Schedule – if not already done, ensure that all instances of personal data have been incorporated into the organisation’s retention schedule.

For further help, see our article on Retention of Personal Data here

The content herein is provided for your convenience and does not constitute legal advice.

Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.