The retention of personal data over time is a theme that comes up very often during our services. Whether it's an audit or RGPD support, this subject is generally a source of misunderstanding. It can become a sore point if not quickly defused.
This article is part of a series of articles, which will enable you to see more clearly regarding this aspect of RGPD compliance. In this first article, we provide you with some explanations on the rules governing retention periods. The next article will follow with more practical implications.
Before we dive into the practical implications of retention periods, it's vital to get back to basics. The guidelines for retaining personal data are laid down by the RGPD (A). They are specified by the CNIL in certain contexts (B). Finally, they are accompanied by exceptions and methodological tools for compliance (C).
A. Principles governing the life cycle of personal data
Taking a step back, we can discern two main principles that guide the retention of personal data. These principles stem from Recital 39 as well as Articles 5 and 89 of the RGPD. They are classified here into two general categories, for greater clarity.
1. prohibition in principle of unlimited conservation
This is often the most difficult principle to explain during RGPD coaching. No, it's not possible to keep personal data forever.
Figure 1: Article 5 e of the RGPD requires us to establish retention periods for personal data; the contrario interpretation of this article tells us that unlimited retention is therefore prohibited.
This generally strikes fear into the hearts of business departments. For some, their first reaction is to imagine disaster scenarios triggered by the deletion of personal data! The RGPD would, according to these predictions, be the cause of lost sales or a breach of their professional obligations. Whether you work for a public or private entity, your work is often based on data. The prospect of their abolition should therefore not be taken lightly. Concerns on this subject are therefore absolutely legitimate, and we must listen to and consider them all. However, the solution will be to apply the principle in the best conditions, instead of circumventing it.
It is true that in certain professions, the unlimited retention of identifying data is necessary. For these cases, which are very specific and actually quite uncommon, the RGPD provides for exceptions to this principle (see C.). Nevertheless, in most situations, it is entirely possible to consider deleting personal data. Of course, this will have to be done by studying the field and adapting the principle to the specific needs of each business. In this way, we can achieve our RGPD compliance objectives without affecting the operation of the organization concerned.
2. Respecting the limitation
Once the ban on unlimited retention has been integrated, it's time to limit it. The main obstacle to the application of this principle is the fear of hasty deletion. As we saw above, many professionals fear the consequences of deletion. Even after admitting that data should be deleted, people often want to keep it as long as possible. And, in order not to feel restricted, very, very long retention periods are proposed. However, this would not be a very good idea, as it would contravene the principle of limitation.
Limiting retention could be seen as a specific application of the general rule of minimization. Broadly speaking, this means keeping personal data for as short a time as possible. This seems counter-intuitive to the practices that have become widespread with the increase in computer storage capacity. We have developed a tendency to keep everything, for as long as possible, sometimes indiscriminately. Now, the RGPD is forcing us to question this mania. We must now identify which personal data is really useful to us, and not keep the others.
As a result, part of the RGPD support consists of adjusting the retention period of personal data as closely as possible. This duration must be as short as possible, without undermining the legitimate objective pursued by the desired retention.
Beyond duration, RGPD compliance will influence the amount of data kept. Initially, duplicates will be tracked down, making a clean sweep of working data. It will then be possible to prune as much as possible of the data that has become unnecessary following the initial phases of its processing.
B. The CNIL's clarifications on conservation
1. CNIL standards
In addition to the main principles drawn from the RGPD, the CNIL has been publishing reference guidelines for years. These are more precise than the general rules of the RGPD and provide guidance for professionals. These are sector-specific guides giving broader advice than just retention periods.
Figure 2: Extract from cnil.fr about the publication of a reference guiding professionals to apply the RGPD in the context of rental management.
In 2019, for example, it has published a very useful repository devoted to human resources management. There's also the 2021 standard on sales relationship management. Some are more specific, tailored to particular sectors. There is, for example, a standard on personal data management in the child protection sector. Very recently, a new standard was published by the CNIL for public consultation. This is a sectoral reference concerning the management of pharmacies. These repositories provide us with valuable clues for determining retention periods. The French Data Protection Authority (CNIL) indicates the periods it considers appropriate for retaining certain data.
Two CNIL guidelines useful for all organizations in determining retention periods :
- November 21, 2019 repository for personnel management.
- February 3, 2022 standard for commercial management.
Examples of sector-specific reference systems:
- July 18, 2022 standard for pharmacies.
- January 20, 2022 guidelines for child protection.
- Referential of May 6, 2021 concerning rental management.
2. Retention periods provided by reference systems
Let's take an example from the reference framework for commercial relations. A duration is indicated for data used for prospecting purposes. This would be 3 years after the data subject's last contact with the organization. In certain cases, it would therefore seem appropriate to retain a prospect's personal data for up to 3 years after the last time he or she contacted us.
Figure 3: Extract from the CNIL guidelines indicating the recommended retention period for personal data in the context of commercial prospecting.
However, there are two points to bear in mind here. The CNIL reminds us in its introduction that these guidelines are not binding. It is therefore not compulsory to keep data for the period indicated. What's more, these are only indicative durations, and we need to adapt them to our specific cases.
This is particularly important in the case of RGPD support: team cooperation is essential here. Indeed, the indicative durations give orders of magnitude with which consultants are familiar. But above all, it's a question of adapting them to the field during RGPD compliance. So we need to be able to communicate effectively with the business lines. They know the constraints and needs of the departments, on the basis of which we can establish retention periods.
Figure 4: *Extract from CNIL deliberation SAN-2020-008 sanctioning Carrefour France for failure to comply with the principle of limitation.
For example, the above example shows a situation where an indicative duration is provided by the CNIL. However, the CNIL analyzes the facts to determine whether this duration is appropriate or not. In practice, this confirms that the durations indicated are not fixed and compulsory.
Finally, it should be pointed out that not all professions and business areas are covered by such standards. Nor is there any reference system indicating generic retention periods. The CNIL has published a guide setting out the methodology for determining retention periods. However, it does not indicate any standard duration. That's why it's just as important to master the principles and know how to adapt them to specific cases.
- The CNIL and SIAF practical guide to retention periods.
C. Adaptations of principles permitted by legislation
1. Only one real exception to the principle
To conclude on the main rules governing shelf life, let's look at adaptations and exceptions to the principles.
The only real exception to the ban on unlimited preservation is for public archives. It is understandable that, in certain cases and for the general interest of preserving public archives, this prohibition should be lifted. However, this is not an undifferentiated general authorization to preserve. Even where this exception applies, only certain personal data may be permanently stored. After specific examination, the decision may be taken to place them in a permanent archive. These data are then subject to the French Heritage Code.
Figure 5 : *The French Heritage Code contains specific provisions relating to the preservation of personal data in public archives.
2. Adaptations
Apart from specific exceptions, methods exist to manage the constraints associated with retention limitation. In RGPD compliance, when it comes to retention, archiving and anonymization can be used in particular.
a. Intermediate archiving
As we saw above (see 1.), definitive archiving is an exceptional measure. We cannot therefore rely on it to manage our ordinary retention periods. There is, however, one form of archiving available to all data controllers: intermediate archiving. This way of storing personal data comes after the active database. To understand intermediate archiving, we first need to explain what an active database is.
In simple terms, the active base is the state in which data is found when it is needed most. It is in the active base that data is generally processed for the main purpose for which it was collected. Then come the intermediate archives. In this new phase of the data cycle, data is stored only for occasional consultation.
Figure 6: In compliance with the RGPD, personal data that no longer has a place in the active database can either be deleted directly or go through an intermediate archiving stage.
For example, data concerning an employee will be stored in an active database for the duration of the employment relationship. Once the employee has left, it can be transferred to an intermediate archive. This can be used, for example, to defend the company's rights in the event of litigation. Finally, in compliance with the retention limitation, data must be deleted at the end of intermediate archiving.
Figure 7: When providing RGPD support, collaboration with the human resources department is very important, as this is a part of the organization that manages a lot of personal data, and often the most sensitive.
This form of storage is not compulsory, but can be useful for extending the retention period. It should be borne in mind, however, that intermediate storage constitutes a new processing operation for personal data. All the rules of the RGPD (including the principle of limitation) must therefore be applied. It is therefore clear that intermediate archiving is not a way of circumventing the limitation principle. Rather, it's a way of structuring oneself to build a healthy, controlled data cycle.
To sum up, the data cycle can be seen as the following sequence of steps.
- Collection, transfer or creation of data.
- Active base: for current needs.
- Intermediate archives: preservation for specific needs.
- Final archives: exceptional situation.
- Deletion or anonymization.
b. Anonymization
A final tool makes it possible to manage personal data under the constraint of limited retention. This is anonymization. During an RGPD coaching session, we quickly realize that there is a lot of interest in this retention option. But there are also some common confusions in its understanding. As a first step, then, let's distinguish anonymization from pseudonymization.
"During RGPD support, an important part of the consultant's job is to make people understand the subject and the issues surrounding the protection of personal data. Explaining terms like these is part of that mission."
Pseudonymization consists in replacing certain identifiable data with an alias (a different name, a personnel number, etc.). The data remains identifiable, but becomes so indirectly. It is then considered that the right to privacy of the persons concerned is better protected. So, in the sense of the RGPD, pseudonymization is a personal data protection measure. Anonymization, on the other hand, refers to the transformation of personal data so that it is no longer identifiable. This approach can be seen as an alternative to erasure. Indeed, following both, there is no longer any personal data. The principles of the RGPD, set up to protect personal data, will therefore no longer apply.
Figure 8: During RGPD support, an important part of the consultant's job is to help people understand the subject and the issues surrounding the protection of personal data. Explaining terms like these is part of this mission.
"LINC is currently working on a project to test the effectiveness of anonymization."
**Real anonymization means making it impossible to re-identify people from anonymized data. This is very difficult to achieve, especially if you want to retain a certain level of usefulness in the data set. It is therefore a much more delicate and ultimately more costly measure than deletion. It is often chosen under only one of two constraints. Either unlimited retention of the data in its non-identifying form is absolutely necessary for compelling reasons. Or the dataset in question may have value, even without an identifying character. In all cases, it should be noted that anonymization in no way allows you to return to a stage where the data is identifying. It is therefore of no interest if the organization's objective is to maintain the identifying nature of the data. In the latter case, a retention period ending with deletion is required.
To remember
- In principle, personal data cannot be stored indefinitely.
- Reasonable storage periods adapted to the needs of the organization must be established and respected.
- Guidelines exist to guide us, but they are not exhaustive.
- Intermediate archiving should be considered to preserve data beyond current needs.
- Anonymization is a real solution, but it's not adapted to the most frequent cases.
After giving elements of an answer to the question in our article: "How long to keep personal data according to the RGPD?"; we'll talk about the practical importance of these rules in our next article. They are indeed very important to take into account in order to control the legal risk linked to the RGPD. But they help in any case to structure the management of all our data. The advantages of RGPD support are therefore numerous when it comes to tackling such a sprawling issue.
Illustration sources: Pixabays and Freepik.
À propos : Le blog d'AlgoSecure est un espace sur lequel notre équipe toute entière peut s'exprimer. Notre personnel marketing et commercial vous donne des informations sur la vie et l'évolution de notre société spécialisée en sécurité sur Lyon. Nos consultants techniques, entre deux tests d'intrusion ou analyses de risque, vous donnent leur avis ainsi que des détails techniques sur l'exploitation d'une faille de sécurité informatique. Ils vous expliqueront également comment sécuriser votre système d'informations ou vos usages informatiques particuliers, avec autant de méthodologie et de pédagogie que possible. Vous souhaitez retrouver sur ce blog des informations spécifiques sur certains sujets techniques ? N'hésitez pas à nous en faire part via notre formulaire de contact, nous lirons vos idées avec attention. Laissez-vous guider par nos rédacteurs : Alessio, Alexandre, Amine, Anas, Arnaud, Benjamin, Damien, Enzo, Eugénie, Fabien, Françoise, Gilles, Henri, Hicham, Jean-Charles, Jean-Philippe, Jonathan, Joël, Joëlie, Julien, Jéromine, Lucas, Ludovic, Lyse, Matt, Nancy, Natacha, Nicolas, Pierre, PierreG, Quentin, QuentinR, Sébastien, Tristan, Yann, Yannick, et bonne visite !