The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Data Protection Rule 7

Retention of personal data

"the data shall not be kept for longer than is necessary for that purpose or those purposes"
- section 2(1)(c)(iv) of the Act

Nowadays information can be kept cheaply and effectively on computer. This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal information, then that information should be routinely deleted. Information should never be kept "just in case" a use can be found for it in the future.

You should pay particular attention to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which you do not need to hold any longer. If you would like to retain information about customers to help you provide a better service to them in the future, you must obtain the customers' consent in advance. The same applies to paper records. Good housekeeping would also dictate that your regularly review the need to retain records.

Retention of personal data: Test Yourself

You should be able to answer YES to the following questions:-

  • Is there a defined policy on retention periods for all items of personal data kept?
  • Are there clerical and computer procedures in place to implement such a policy?
  • Is information about old customers routinely purged from our systems?

Practical steps

Assign specific responsibility to someone for ensuring that files are regularly purged and that personal information is not retained any longer than necessary.

Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDIES - Retention


MENU Select Page No.
<- Previous    Next ->