EU GDPR DPO Course - Retention Schedule - Module 4

The data retention schedule helps the data controller and data processor to comply with the principle of minimization and to be accountable.

Data controller and data processor need to evaluate how long they will need the data. Specifications may be inside laws (i.e. many tax and accounting law requires to keep records of transactions, bills, invoices up to ten years), inside contracts (especially for data processors who have instructions on how to handle data processed on behalf of the data controller inside the appointment as a data processor or inside instruction). The data retention schedule should be in line with all these requirements. Balancing the principle of minimization with the risks of data breach (which can be considered as data destruction based on a wrong data retention schedule).

In your data retention schedule, you should also decide how to deal with data not covered by laws and regulations (i.e. applicants CVs) by establishing a principle in line with the period the data controller may need those data (i.e. until the job position has been covered).Therefore, specifications for data retention schedules may vary from case to case depending on the data processing.

You can find more information here:- The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/- How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/- Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/- Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/