How long may a company store personal data?
December 30, 2023 | 50,00 EUR | answered by Andrea Schlattmann
Dear Data Protection Lawyer,
I have a question regarding the handling of personal data in a company. In my case, it concerns a small to medium-sized enterprise that stores customer data for order processing and communication with customers. Now I am wondering how long the company is actually allowed to store this data before it must be deleted.
The current situation is as follows: The company stores customers' personal data, such as names, addresses, phone numbers, and email addresses, in an internal database. The data is used for order processing, sending information, and communicating with customers. So far, the data has never been deleted as there are no clear guidelines on this.
My concerns are that the company may be violating data protection laws if it stores the data for too long. Additionally, I fear that the data may fall into the wrong hands if it is not regularly deleted.
Therefore, my question is: How long can a company store personal data before it must be deleted? Are there any legal regulations or recommendations that the company should follow? What measures can be taken to ensure that the data is stored and managed appropriately and securely?
Thank you in advance for your help and support.
Sincerely,
Gerald Schulze
Dear Mr. Schulze,
Thank you for your inquiry regarding the handling of personal data in your company. It is good that you are considering how long these data can be stored in order to avoid potential data protection violations. In fact, there are legal regulations that companies must adhere to when it comes to the storage of personal data.
According to the General Data Protection Regulation (GDPR), which has been in effect since May 2018, personal data may only be stored for as long as necessary for the respective processing purpose. This means that companies may not store the data longer than necessary for order processing, communication with customers, or other agreed purposes. Once these purposes are fulfilled, the data must be deleted.
Therefore, it is advisable to establish clear guidelines for the storage and deletion of personal data in your company. These guidelines should set out retention periods for different types of data and ensure that the data is regularly reviewed and deleted as needed. This way, you can ensure that you are acting in accordance with data protection laws and minimize the risk of data protection violations.
Furthermore, it is important to ensure that the stored data is appropriately and securely managed. This includes measures such as encrypting sensitive data, limiting access to the data to authorized employees only, and regularly reviewing security measures to ensure that the data is protected from unauthorized access.
Overall, it is important for your company to comply with legal requirements regarding data protection and take appropriate measures to ensure the security and integrity of the stored data. If you have any further questions or need assistance in creating data deletion policies, I am happy to help.
Best regards,
Andrea Schlattmann
Data Protection Lawyer
