You cannot store personal information forever

You cannot store personal information forever

Any purchase over the Internet requires the disclosure of personal data, which can only be stored for the necessary time. But many times it breaks. The GDPR Privacy Policy talks about a number of principles with the processing of personal data. One of them is the so-called limitation of the storage of personal data. This principle states that personal data will be stored only for the time necessary for the purpose of processing it. After this time, personal data should be automatically deleted. But does it actually work?

One-time purchase on the Internet

According to GDPR, after making a one-time purchase in a specialized e-shop, the customer's personal data should be kept only for the time necessary to claim his potential claim due to damage to the goods. However, for a maximum period of time that the customer has given their consent to receive business notifications.

However, there is also a legitimate interest in keeping personal data for a longer period of time, for example because of long-term monitoring of the market situation. This intent should be accurately identified and the customer informed.

Also, after a certain period of time, visitors' personal data should be deleted after a one-time visit or use of any other service. For example, this applies to customers who bought tickets online or paid for their purchases by card. Or if their movement around the service provider's premises is somehow monitored by a camera.

Regularity of purchase or loyalty programs

The situation is different when the entity is a regular user of the service, is participating in a customer loyalty program, or has given its explicit consent to continue sending business service provider communications.

Companies often violate the regulation

Automatic deletion of data after processing has ceased to be necessary for the purpose of processing is not yet customary. Data (often in duplicate or multiple times in various records and information systems) is kept for possible future use, without companies realizing that they are in breach of the regulations already in force.

It is also an unnecessary complication. The more data and records the company has, the greater the risk of data inaccuracy and redundancy in relation to the purpose of their processing. This implies a higher likelihood of data security breaches linked to the obligation to report such breaches and to bear the consequences of damages or possible sanctions. A company can prevent any fines by doing the following:

• checking the retention period of personal data,
• considering the purposes for which they are kept, when deciding whether and for how long to keep them,
• safely deleting and disposing of data that is no longer required for this purpose,
• updating, archiving, or securely deleting data that is out of date.

How long can you store them?

The answer is simple - as short as possible. This should take into account the reasons why the business needs to process this data, as well as legal obligations to retain data for a fixed period of time (such as national labor, tax or anti-fraud legislation that imposes on you the obligation to store personal data about your employees for a limited period, during the product warranty period, etc.).

Companies should set time limits for deletion or review of stored personal data. Exceptionally, personal data may be stored for longer periods for archiving purposes in the public interest or for scientific or historical research purposes. The company must also ensure that the stored data is correct and updated.