Storage limitation

Storage limitation (German: Speicherbegrenzung) is one of the core processing principles of the General Data Protection Regulation and is enshrined in Article 5(1)(e) GDPR. Under this principle, personal data may be kept in a form that permits identification of data subjects only for as long as is necessary for the purposes for which the data are processed. The principle gives the necessity test a temporal dimension: the focus is not on whether data may be stored, but on how long. Once the purpose has been achieved or no longer applies, the data must be erased or anonymised.

In practice, storage limitation requires controllers to set appropriate retention periods for each processing activity and to maintain a deletion concept. The relevant factors are the respective purpose as well as statutory retention obligations, for example under § 257 of the German Commercial Code (HGB) or § 147 of the Fiscal Code (AO), which may prevent immediate deletion. As long as data are retained solely for these reasons, their processing must be restricted, in effect blocking further use. Storing data "just in case" they might prove useful in future is incompatible with the principle.

Identifiability is the decisive point of reference: data that have been aggregated or anonymised to the extent that they can no longer be linked to a person fall outside the scope of the GDPR and are no longer subject to storage limitation. Article 5(1)(e) GDPR expressly provides for exceptions, for instance for archiving in the public interest, for scientific or historical research purposes and for statistical purposes under Article 89(1) GDPR, provided that appropriate technical and organisational measures protect the rights of data subjects. Breaches of the storage limitation principle may, under Article 83(5) GDPR, attract fines of up to EUR 20 million or 4 % of total worldwide annual turnover.