Retention Period under GDPR

Answer:

Indeed retention periods are quite tricky and quite country specific. There are so-called legal retention periods such as the ones you find in various pieces of regulations such as Tax Codes, Labor Laws etc. These can be found in your local legislation so is up to you and your lawyers/legal counsels to look them up. There is also personal data that is not regulated in terms of retention periods and in this case the regulators are right, it is up to you do decide and to establish reasonable retention periods considering the processing activity, the types and categories of personal data, as well as other factors such as statute of limitations periods or contractual obligations.

2. To clarify re Retention Periods - If a client comes back for further service after say 5 or more years, is it fair to say I should have their personal information, order/servic e history etc. available in our system or should it be gone by then?

Answer:

You are only bound to keep the data which is required by law or by a contract with the owner of the data. After 5 years you may only be keeping invoices or documents related to the issuing of those invoices.