The Data Protection Regulation, commonly known as RODO, has made a major contribution to changes in the acquisition and storage of individuals' personal data. The legislation introduced also regulates how long a company can hold such information without consequence. 
Under the term personal data includes any information by which a natural person can be identified. As stated in the RODO regulation, this includes not only basic personal data (such as name, address, PESEL, ID number or contact information), but also a person's image, background, beliefs and even trade union membership.
Strict minimum principle
The purpose of the RODO is to protect personal data. Therefore, all the provisions in the regulation regulate the principles that should be followed by those who are involved in data processing - that is, first and foremost, business owners. Let us see what all this means in practice.
Regardless of whether the data to be collected relates to employees, customers or clients, the business owner should only collect the necessary information from individuals to achieve the stated purpose (e.g. fulfilling an order or recruiting employees). The regulation does not stipulate which and how much data should be collected, so the business owner has to decide for itself which information is absolutely necessary.
The principle of the strict minimum also applies to storage of personal data . Here, too, there is no specific provision as to how long a company can hold an individual's personal data. However, it is clear from the regulation that this cannot be done indefinitely.
The information provided in the document states that any personal data may only be stored for as long as necessary to fulfil the stated purposes for which they were obtained. Although there is no specific mention of a retention period, the document clearly illustrates that this must be kept to a minimum. 
How do you determine the duration of data retention?
Although the RODO does not impose a specific retention period on businesses, they may not include a notation in consents or information clauses stating that data will be stored indefinitely. Breaching the provision on strict minimums may end up in legal problems - especially if the data controller fails to provide a logical reason for its action.
Data retention period depends primarily on the type of activities for which they were necessary. There are also provisions which may prolong, or in some cases even shorten, the duration of the processing of personal data. These include, for example, the provisions on limitation of claims regulated by the Civil Code or the provisions originating from accounting laws.
Where the basis processing of personal data is the individual's consent, the duration of their storage is valid until the consent is revoked. Once consent has been revoked, the data is kept until the statute of limitations for claims, both those made by the data controller and those that may be made against the individual. Depending on the type of claim, this period lasts from 6 months to 6 years.
If the basis is the performance of a contract, then the data will be processed until the contract is not performed. However, also in this case, the limitation period for claims applies even after the contract has ended.
Data stored for longer periods
There are three circumstances in which personal data may be kept longer than the strict minimum rule. This is in circumstances where they have been obtained for purposes:
- conducting scientific and/or historical research,
- archives (for public purposes only),
- Statistical.
However, it should be borne in mind that, despite the extended period of time, their storage is also not permitted indefinitely. It is also the administrator's task to ensure that they are adequately protected throughout their lifetime.
What about pre-RODO data?
Personal data that was collected before the entry into force of the RODO Act must be brought in line with the current rules. This means that the entrepreneur should verify whether the collected data was obtained in compliance with the current rules. In the event that they deviate significantly from the requirements regulated by the RODO regulation, the best solution is to delete them.
The trader should also ensure that it has the relevant consents from individuals regarding the possibility of processing their personal data. Once these are not legally valid, care should be taken to update them. Data that was obtained before 25 May 2018 may also not be stored indefinitely.
Choose InPost Subscriptions for businesses and send parcels at a fixed price.
Take one minute to leave your contact details and start sending parcels from as low as 11.89 PLN*.
- One contract for courier and Paczkomat shipments
- Free courier pickups
- Express delivery
- Price guarantee for the duration of the contract
- Fuel surcharge included
- Dedicated post-sale support
* Net price per Paczkomat shipment in the Subscription 600 plan.
Czytaj również
