Storage Limitation
Article 5(1)(e) GDPR — delete data once the purpose has been achieved
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Personal data may not be stored for longer than is necessary for the processing purpose. Once the purpose has been achieved: erasure or anonymisation — unless statutory retention obligations apply (e.g. Section 257 HGB, Section 147 AO).
What is storage limitation?
The most important retention periods in the DACH region:
- Tax and commercial records: 10 years (Section 147 AO)
- Payroll accounts: 6 years
- Applicant data without hire: 6 months (BAG 2 AZR 1180/16)
- Marketing consents: as long as consent is valid + 3 years (proof)
- Cookie data: max. 12 months (DSK)
Practical example
HR software stores applications. After rejection, data must be erased after 6 months (AGG limitation period expired). Exception: the applicant consents to a talent pool — then longer storage is possible.
Frequently asked questions
Who decides on the retention period?
The controller, as documented in the ROPA, based on purpose + statutory provisions.
What if retention obligations and data minimisation conflict?
The retention obligation takes precedence. HOWEVER: restrict access (e.g. only tax advisor).
Is anonymisation sufficient?
Yes, where genuine anonymisation (not pseudonymisation) is achieved. The data are then no longer personal data.