Failure to comply with retention periods resulted in EUR 1.75 million fine
Following a supervisory inspection, the French Data Protection Authority found that a large insurance company was keeping personal data for longer than the retention periods it had defined. Although the company subsequently adopted a series of compliance measures, its failure to comply with the fundamental obligations under the data protection rules triggered a substantial fine.
Pursuant to the so-called storage limitation principle, personal data must not be kept for longer than necessary. That means, among other things, that it is necessary to consider what the purpose for keeping the data is, and to set up a retention policy outlining the standard retention periods, as far as possible.
In this case, the French Data Protection Authority found that a large insurance company, which was part of a group with approximately 15 million customers, was keeping personal data for longer than the retention periods it had defined. Although the company had a policy, it had not been implemented in its IT-system. For its prospective customers, the company had consequently kept data for more than the maximum retention period of three years and had in some cases kept the data for up to five years. For more than two million of its existing customers, the company had kept data for longer than the maximum retention periods of five years after the end of the contract. The data kept on existing customers included, among other things, sensitive data regarding their health and had for some customers been kept for up to 30 years.
Besides from having failed to comply with the storage limitation principle, the company had also failed to comply with its information obligations. Together, the two breaches were considered such fundamental violations of the applicable data protection rules that it resulted in a fine of EUR 1.75 million.
How are appropriate retention periods defined?
Although data is collected lawfully and processed fairly, it cannot be kept for longer than necessary. By ensuring effective erasure or anonymization in accordance with its retention policies, companies can therefore reduce the risk of it becoming unnecessary, outdated or inaccurate.
When defining the appropriate retention periods, the applicable rules on the statute of limitation or bookkeeping rules should be applied to define the legal maximum time period. This would in most situations allow companies to keep data for three to five years, while other categories of data, such as CCTV footage or job applications, only can be kept for much shorter periods of time. Consequently, retention periods will also largely depend on what lawful basis was applied for processing the data in the first place.
IUNO’s opinion
When drafting data retention policies, companies should carefully consider the purpose of keeping its data, and balance more vague wording defining that data is kept for as long as necessary and more detailed information systematically defining the time periods for erasure or anonymization.
IUNO recommends that companies also consider the purpose for which data was collected in the first place, as the applied lawful basis to a certain extent may assist with defining streamlined retention periods. For example, if the data was processed based on consent, it should be erased when that consent is withdrawn – unless another lawful basis can be applied instead.
[Decision by the Restricted Committee of the French Data Protection Authority in case no. 2021-010 of 20 July 2021]
Pursuant to the so-called storage limitation principle, personal data must not be kept for longer than necessary. That means, among other things, that it is necessary to consider what the purpose for keeping the data is, and to set up a retention policy outlining the standard retention periods, as far as possible.
In this case, the French Data Protection Authority found that a large insurance company, which was part of a group with approximately 15 million customers, was keeping personal data for longer than the retention periods it had defined. Although the company had a policy, it had not been implemented in its IT-system. For its prospective customers, the company had consequently kept data for more than the maximum retention period of three years and had in some cases kept the data for up to five years. For more than two million of its existing customers, the company had kept data for longer than the maximum retention periods of five years after the end of the contract. The data kept on existing customers included, among other things, sensitive data regarding their health and had for some customers been kept for up to 30 years.
Besides from having failed to comply with the storage limitation principle, the company had also failed to comply with its information obligations. Together, the two breaches were considered such fundamental violations of the applicable data protection rules that it resulted in a fine of EUR 1.75 million.
How are appropriate retention periods defined?
Although data is collected lawfully and processed fairly, it cannot be kept for longer than necessary. By ensuring effective erasure or anonymization in accordance with its retention policies, companies can therefore reduce the risk of it becoming unnecessary, outdated or inaccurate.
When defining the appropriate retention periods, the applicable rules on the statute of limitation or bookkeeping rules should be applied to define the legal maximum time period. This would in most situations allow companies to keep data for three to five years, while other categories of data, such as CCTV footage or job applications, only can be kept for much shorter periods of time. Consequently, retention periods will also largely depend on what lawful basis was applied for processing the data in the first place.
IUNO’s opinion
When drafting data retention policies, companies should carefully consider the purpose of keeping its data, and balance more vague wording defining that data is kept for as long as necessary and more detailed information systematically defining the time periods for erasure or anonymization.
IUNO recommends that companies also consider the purpose for which data was collected in the first place, as the applied lawful basis to a certain extent may assist with defining streamlined retention periods. For example, if the data was processed based on consent, it should be erased when that consent is withdrawn – unless another lawful basis can be applied instead.
[Decision by the Restricted Committee of the French Data Protection Authority in case no. 2021-010 of 20 July 2021]
Similar
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept
Messy toolbox led to serious criticism and an injunction