plazos conservación

This post is also available in: Español

One of the obligations of the data protection regulations that causes most headaches for those responsible for implementing them is restricting data storage periods and subsequently blocking and erasing them. The aim of the obligation to store personal data on a restricted basis is to avoid personal data being processed for longer than strictly necessary for the purpose for which they were collected. Once the personal data are no longer necessary for this purpose, they must be erased or blocked and subsequently deleted once they are no longer necessary for the purpose for which they were blocked.

This obligation has gained importance since the General Data Protection Regulation (“GDPR”) came into effect and became fully applicable. The Spanish regulations previously considered the breach of the storage periods established to delete the documents containing personal data or the non-existence of a storage periods policy as a serious breach subject to a fine of up to €300,000.

Nonetheless, the GDPR’s principles, the cornerstone of data protection, include restricting the storage period (Article 5.1.e of the GDPR). Therefore, breaching storage periods is now classified as very serious and subject to the maximum penalty established, i.e., a fine of up to €20 million or an equivalent amount of up to 4% of the total global annual turnover in the previous financial year.

This change in how serious these breaches are viewed means both data controllers and data protection authorities are paying more attention to storage periods. In fact, while, before the GDPR, it was not one of the most sanctioned breaches, it is now starting to be one of the first issues identified by the authorities when inspecting a data controller.

The Spanish Data Protection Agency (“AEPD”) recently sanctioned a company for storing a former client’s data for longer than usual despite having a storage period policy, which it had not applied in that case. The AEPD is not the only authority to have recently detected and sanctioned breaches of this nature, however.

In May 2019, the French data protection authority imposed a fine of €400,000 for storing candidates’ CVs for longer than necessary. Shortly after, Berlin’s data protection authority imposed a fine of over €14 million for a series of breaches, including storing health data for longer than necessary. Following suit, in June 2020, the Hungarian data protection authority issued a fine for €288,000. In this case, the sanctioned company had stored personal data without ever having restricted the storage period and, therefore, without having deleted personal data no longer being processed for the purpose for which they were initially collected.

In light of this, establishing a data storage policy and procedures for blocking and subsequently deleting them, adapted to the principles of the GDPR, must been seen as crucial for companies, and this is proving to be the case for many.

Authors: Pedro Méndez de Vigo and Jorge Monclús

This post is also available in: Español



77 artículos

Jorge Monclús


47 artículos