How long can data be stored under GDPR?

The GDPR does not set specific limits for storing personal data. Article 5(1)(e) requires personal data to be stored no longer than necessary for the purposes for which the personal data is processed.

However you cannot hold personal data indefinitely ‘just in case’ it might be useful in future, as per the ICO. If you are collecting data that’s not being put to use, you will need to consider deleting it and stop any further collection.

As a general rule, your business should establish time limits to retain data and have a mechanism to erase/review data after the retention period. You can check out the data retention policies of businesses like Spotify and Twitter.

As an exception, personal data may be stored for longer periods if it is processed for archiving purposes in the public interest, scientific or historical research or statistical purposes. In such cases, you need to ensure that the data is subject to appropriate technical and organizational measures as stated in Article 89(1).