Data controllers are obliged to process personal data in accordance with the storage limitation principle, meaning that personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner.

However, the General Data Protection Regulation (GDPR) does not stipulate specific retention periods for different types of data, and so organisations must have regard to any statutory obligations imposed on them as a data controller when determining appropriate retention periods.

The actual retention period will therefore depend on the purposes for which a data controller processes personal data. For example, if the purposes of processing the personal data is the mere identification of data subjects to allow them access to an online account, the personal data collected for the identification should be erased immediately after a valid access has taken place. On the other hand, if personal data are being dealt with in the context of the preparation of a legal claim, their storage can and should legitimately last depending on the institution and subsequent evolution of the legal proceedings. Retention for further processing may only be allowed if the purpose of that further processing is compatible with the initial purpose.