Skip to main content
Data Protection / GDPR

Retention schedule

A retention schedule structurally defines, for each data type, how long personal data may be kept and when it must be deleted or anonymised.

A retention schedule is the structured, documented definition of retention and deletion periods for each type of personal data and processing purpose. It translates the storage-limitation principle of Art. 5(1)(e) GDPR into concrete rules: for every category of personal data it determines the legal basis on which it is processed, how long it is needed, and when it must be deleted or anonymised. This turns the erasure obligation from an abstract requirement into a traceable, auditable process.A good retention schedule links each data type to the start of the period (such as the end of a contract, the last business contact, or the close of a calendar year), the duration of the period, and the triggering event. It must account for statutory retention obligations, in particular the commercial and tax-law periods under Section 257 of the German Commercial Code (HGB) and Section 147 of the Fiscal Code (AO), which run from six to ten years, and weigh these against the data-protection erasure obligation. Where a retention obligation applies, the data is usually blocked or its processing restricted and only finally deleted once the period has expired.The retention schedule forms part of the accountability obligation under Art. 5(2) GDPR and should be interlinked with the record of processing activities, which under Art. 30(1)(f) GDPR is itself meant to state the envisaged deletion periods. In practice it is complemented by a deletion concept that describes the organisational and technical measures for actually carrying out the erasure. The DIN 66398 standard offers a recognised methodology that groups data types into deletion classes with uniform standard periods.

Legal Basis

Art. 5(1)(e) and (2) GDPR, Art. 17 GDPR, Art. 30(1)(f) GDPR; Section 257 HGB, Section 147 AO; DIN 66398

Practical Example

A data protection officer at an online retailer builds a table of all data types for the retention schedule: order data and invoices receive a ten-year retention period from the end of the financial year due to Section 147 AO, followed by automatic deletion. Application documents of rejected candidates are deleted six months after the process closes to cover discrimination-law deadlines. Newsletter consents are stored until withdrawal, and inactive customer accounts are anonymised after three years without login. The schedule names the triggering event and the responsible person for each period, so that the deletion routines can be configured in an audit-proof way within the system.

FAQ

A retention schedule defines which data type must be kept for how long and when it must be deleted. A deletion concept goes further and describes the organisational and technical measures used to actually perform and document those deletions. In practice the two build on one another.
Statutory retention obligations, such as those under Section 257 HGB or Section 147 AO, take precedence over the data-protection erasure obligation. Such data is restricted in processing or blocked until the period expires and only deleted thereafter. The schedule must set out these obligations for each data type.
There is no explicit duty to maintain a standalone document, but one follows in practice from the principles of storage limitation and accountability. The record of processing activities is in any case meant to state deletion periods under Art. 30 GDPR, which makes a structured schedule the standard way to demonstrate compliance.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Data Deletion Concept Storage limitation Right to erasure Record of Processing Activities (ROPA) Accountability
Back to Glossary