Under the General Data Protection Regulation (“GDPR”), the same periods of retention of personal data apply as before. The basic principle remains that personal data may not be kept longer than is necessary for the purposes of the processing (the so-called “storage limitation”). How long this is exactly should be assessed on a case-by-case basis depending on the processing activity.
According to recital 39 of the GDPR, companies should establish time limits for the deletion of data or for their periodic review in order to ensure that personal data are kept no longer than necessary. In concrete terms, this means that, prior to the processing of the personal data, companies should establish in a retention policy how long the personal data will be kept. If this is not possible, the criteria for determining the retention period should in any case be determined.
In addition to complying with the above principle of storage limitation, the development of a retention policy by the company is also important because the intended retention periods must – if possible – be included in the records of processing activities.
In addition, in accordance with the provisions of the GDPR, the data subjects should also be informed of the retention periods of their data, or if this is not possible, of the criteria for determining these periods. According to the guidelines of the European Data Protection Board, this should be done in such a way that the data subjects, based on their own situation, can understand how long their data will be kept. For example, it is not sufficient to state in general terms that the data will be retained “as long as necessary for the processing purposes”. Where relevant, the different retention periods (including the archiving periods) should be mentioned for the different categories of personal data and/or different processing purposes.
It is generally appropriate to retain records and documents relating to employees during their employment and for a period of five years following the end of their employment. This general retention period is based on the civil and criminal statutes of limitations for claims made in the context of the working relationship. Civil-law claims arising from the employment contract between the employer and the worker expire five years after the event from which the claim arose, without this period exceeding one year after the termination of this contract. However, if the violation of the rules of labour law constitutes a crime (e.g., non-payment of wages, holiday pay), one can go back five years for such civil claims based on a crime (“ex delicto claim”).
However, depending on the processing activity, specific retention periods may apply. For personal data that are relevant in the context of entitlements to a statutory and/or supplementary pension, it is advisable, for example, to retain them until the statutory retirement age, extended by one year. The retention period of camera images can be a maximum of one month, unless the images can contribute to proving a crime, damage or nuisance, or to identifying a perpetrator, a public order disruptor, a witness or a victim.
The company that processes personal data for general interest, for scientific or historical research or for statistical purposes may keep them longer than necessary for the original purpose of processing. Where appropriate, technical and organisational measures should be taken to safeguard the privacy of the employee (e.g. anonymisation).