Beltug Paper: ‘Best practices for defining data retention periods’
The GDPR states that the personal data a company collects can only be kept for as long as it is needed for the purposes for which it was processed, but it doesn’t indicate how long this is.
08 / 02 / 22
In fact, organisations collect many types of personal data, for many purposes. This means that retention periods for each situation must be defined.
While the Data Protection Officer (DPO) or Privacy Manager will certainly be involved, this initiative will require a collaboration between various stakeholders, which may include the business and the legal department, for example.
To help our members, Beltug has drafted a Paper that shares guidelines on how to define retention periods, with some best practices. These are based on the experiences of several Beltug members, as well as on insight from the Beltug Privacy Council, guidelines from the Data Protection Authorities (DPA) of member states and the European Data Protection Board, statutory retention periods in member states and guidelines from sector federations.
The Paper is available to our members after log in.