Updated: July 2026
Many companies overlook one of the most important aspects of data processing: data retention. They often store vast amounts of data without a clear idea of what they’re keeping or why.
This data can sit unused, with little thought given to the individuals whose information it holds. Data subjects are often unaware that their data sits in vulnerable folders, prone to leaks or loss on the web.
• Unclear retention policies create legal risk: many companies store personal data without defined retention periods. This can lead to non-compliance with GDPR and significant penalties, as seen in the €800,000 fine imposed on Discord by CNIL.
• GDPR requires purpose-driven data retention: under Article 5.1.e of the GDPR, data must be kept only as long as necessary for the purpose it was collected for. Organisations must actively define and document these timeframes.
• A formal data retention policy supports compliance: while GDPR doesn’t mandate a specific document, best practice shows that a written and implemented data retention policy is essential for demonstrating accountability.
The retention periods for the data companies process are often unregulated and poorly organised. This lack of regulation leads to ambiguity and inconsistency in how long data is kept, posing risks to both individuals’ privacy and companies’ compliance with data protection laws.
On 10 November 2022, the French Data Protection Authority (Commission Nationale Informatique & Libertés, CNIL) fined Discord €800,000 for multiple GDPR breaches.
One of these involved Discord’s failure to set and follow a suitable data retention period aligned with its intended purpose, as required under Article 5.1.e of the GDPR.
As a company, what should you do to comply with GDPR, or at least work toward it? The GDPR doesn’t specify what documentation you must have, but practice so far shows that a retention policy is the most important document you can have.
The General Data Protection Regulation (GDPR) sets guidelines for how businesses handle personal data, covering what information can be collected and for how long it can be kept.
A strong data retention policy needs to reflect three GDPR principles: storage limitation, minimisation, and accuracy. Our data flow mapping guide explains how to identify what data you hold before you set retention periods for it.
• Storage limitation means personal data isn’t held for longer than necessary
• Minimisation means collecting only the bare minimum of data you need
• Accuracy means keeping information precise, current, and reliable
Personal data processing must be appropriate, relevant, and limited to what’s necessary for the specific purpose at hand. Your business should only handle personal data that’s necessary for its operations.

The GDPR doesn’t set a specific duration for retention. Instead, it requires that data be held for no longer than necessary for the purpose it was collected for. Each company must work out this period itself, taking into account any other relevant laws.
For example, where an organisation holds financial information, Anti-Money Laundering legislation may require customer financial data. That data must be retained for 5 years after the end of the customer relationship.
In cases like this, the retention period can extend up to that legal minimum. But it should go no further than what the law or the original purpose actually requires.
Whether you have questions about your data retention policy, or need help with compliance documents, get in touch with us. You can also check our GDPR compliance checklist for a broader view of what your organisation needs in place.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
A data retention policy helps organisations work out how long they need to keep personal data. Also when it should be safely deleted, so they stay compliant with legal and regulatory requirements.
The GDPR doesn’t explicitly require a written retention policy, but having one is strongly recommended. It demonstrates accountability and helps meet your compliance obligations.
No. Even if data is stored securely, the GDPR requires it to be retained only as long as necessary for the purpose it was collected for. Indefinite storage is generally not allowed.
Organisations must look at the original purpose of the data collection, relevant legal or contractual obligations, industry standards, and risk factors to set a justifiable retention period.
Whether you have questions regarding the Data Retention Policy or need assistance with compliance documents, reach out to us.