It’s been one year since the General Data Protection Regulation (GDPR) entered into force in the European Union, and a key question has emerged: for how long can or should companies keep clients’ and employees’ personal data on file?
According to the principle of storage limitation contained in Article 5.1.e. of GDPR, data may be stored for no longer than is necessary for the purposes for which the personal data were requested and processed.
A restrictive interpretation of this provision, together with the fear of the enormous sanctions foreseen in the event of non-compliance, has led many companies, especially foreign ones, to demand the immediately erasure of the data once the commercial or employment relationship has ended.
But, what consequences can the elimination of this information have for the compliance of other tax or corporate obligations?
The answer will vary depending on country, even within the European Union.
In the case of Spain, companies must take special care with the automatic erasure of data, since in the event of a request or inspection by a state authority, companies must have available all the information requested, which can include personal data.
In Spain it is necessary to bear in mind that the actions that the Treasury or Social Security offices may take against companies can extend up to 4 or 5 years, respectively. Also, the Spanish Code of Commerce obliges companies to keep the information generated for a period of 6 years. Additionally, if companies are obliged to comply with the Anti-Money-Laundering Law, the obligation to keep information extends up to 10 years.
Therefore, in the event that information is deleted – including personal data – and a company becomes subject to an inspection, it may find itself in a complicated situation. First, because it would not possess the required information. And second, because it may not have the sufficient legal basis to mount a defense.
What options do companies have to comply with different regulations at the same time?
The solution lies in blocking personal data so that no one, except expressly authorised people, can access them.
Recital 81 and Article 28(1)(g) of the GDPR stipulate that “after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.”
In this sense, Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPD) establishes in its article 33.3 that the data controller shall be the one who “shall determine whether, when the services of the data processor end, the personal data shall be destroyed, returned to the data controller or handed over, as the case may be, to a new data processor.”
Likewise, it establishes that “the destruction of the data shall not proceed when there is a legal provision obliging its conservation […]”
In addition, and key to the issue, Article 33(4) gives the processor the possibility of keeping the data properly blocked:
“The processor may retain, duly blocked, the data insofar as responsibilities may arise from his relationship with the controller.
In conclusion, companies may keep stored personal data of clients and employees once the commercial or employment relationship has ended, provided that the effective blocking of the personal data is guaranteed, and until the legal obligation from which responsibility may derive ends. To properly assess and create data management policies that fully comply with regulations and laws across jurisdictions, companies may benefit from consulting outside specialists.