The Article 5(1) (e) General Data Protection Regulation (GDPR) principle of “storage limitation” requires that personal data… is kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  If the purpose for which the information was obtained has ceased and the personal data is no longer required, the data must be deleted or disposed of securely.

Usually, the retention period for holding onto (personal) data is set down in different pieces of legislation such as Section 55 Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended). This provides that a designated person (financial institution) under the Act shall keep records evidencing the history of services and transactions carried out concerning each customer of the designated person for not less than five years from the date on which the designated person ceases to provide any service to the customer concerned or the date of the last transaction (if any) with the customer, whichever is the later.

However, the GDPR does not specify a maximum retention period. Therefore, it is a matter for each data controller to decide on an appropriate retention policy. This will vary between data controllers as it is based on the data controller’s circumstances and reasons for retention.