Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Retention periods from the perspective of the GDPR

The retention periods from the perspective of the General Data Protection Regulation (GDPR) refer to the length of time for which personal data may be stored. The GDPR requires that personal data may only be stored for as long as is necessary for the purpose for which it was collected or otherwise processed. 

The retention periods may vary depending on the type of personal data and the purpose for which it was processed. 

The GDPR does not specify any specific periods, but requires that the retention periods must be determined by the data controllers in relation to the type of personal data and the purpose of the processing.


Some factors that should be considered when determining retention periods are:

  • The purpose for which the data was collected or processed
  • The type of personal data
  • The legal requirements for the storage of certain types of data
  • The need to store the data in order to protect the legitimate interests of the data controller or third parties
  • The necessity of storing personal data for the purpose of processing contracts


It is important that data controllers have a clear policy for the retention of personal data and that this is regularly reviewed and updated to ensure that retention periods are in line with GDPR requirements. This policy should be managed in the DPMS data protection management system.

 

Retention periods under the GDPR vs. information security

There are usually some differences in the way retention periods are implemented and enforced in the two systems. While the GDPR sets out general principles for the retention of personal data, an ISMS usually defines specific procedures and processes for the retention of data in order to ensure adequate data security.

An ISMS may also have specific requirements for retention periods based on the organisation's security needs and the requirements of other relevant standards such as ISO/IEC 27001.

The retention periods in the ISMS are usually determined by the companies on the basis of various factors such as legal requirements, regulatory provisions, business needs and risk analysis. It is important to emphasise that the retention periods in the ISMS may go beyond the GDPR requirements in order to ensure additional data security protection measures.

It is recommended that companies keep a list of retention periods, align these with the regulatory and legal requirements of the ISMS and the GDPR, and document them in the management systems.