- GDPR Article 5(1)(e): personal data must not be kept longer than necessary for its stated purpose
- AML/KYC records: minimum 5 years after relationship end; up to 10 years where required by national law
- You must document retention periods per data category — not a single "7 years for everything" rule
- Failing to delete expired data is itself a GDPR violation, even if the data was lawfully collected
Most regulated businesses invest heavily in collecting and protecting personal data. Far fewer invest in disposing of it properly. Under GDPR, keeping data beyond the period justified by its original purpose is a violation of the storage limitation principle — regardless of how carefully the data was secured while you held it.
For law firms, accountants, fintechs, and other regulated professionals, the challenge is navigating overlapping obligations: AML regulations demand a minimum five-year retention; limitation periods for contract disputes push toward seven or ten years; and GDPR demands you keep only what is necessary. These obligations must be reconciled in a documented retention schedule.
Related HubSecure buying path
Document Collection & Vault guidesecure document collectionSecure Vault moduleDropbox comparisondocument collection software guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Secure Document Collection Guides cluster. Continue with the product hub for secure document collection.
The storage limitation principle
Article 5(1)(e) of GDPR states that personal data must be kept in a form that permits identification for no longer than is necessary for the purposes for which it is processed. Two practical requirements follow: you must be able to state a purpose for every category of data you hold, and you must have a defined deletion trigger for each category.
Common retention periods by data category
AML and KYC records
4AMLD and 5AMLD require obliged entities to retain customer due diligence records and transaction records for a minimum of five years after the business relationship ends or the transaction is completed. National implementations in some EU member states extend this to ten years when required by supervisory authorities.
Contracts and billing records
Most EU jurisdictions have a limitation period of six to ten years for contractual claims. Professional services firms typically retain engagement letters, fee agreements, invoices, and related correspondence for this period.
Employment records
Payroll records, employment contracts, and disciplinary records are typically retained for six to seven years post-employment. CV data for unsuccessful applicants should be deleted within two to six months unless candidates consented to retention on file.
Marketing and consent records
Consent logs should be retained for the duration of the relationship plus enough time to defend a complaint — typically two to three years. Active marketing lists should be reviewed and cleaned at least annually.
How to build your retention schedule
- Inventory your data categories — client records, employee data, prospect data, financial records, CCTV footage, marketing lists, audit logs
- Identify the legal basis and purpose for holding each category
- Set the retention period based on legal minimum, limitation period, or documented business need — whichever is longest and most justifiable
- Define the deletion trigger — end of contract, last transaction date, consent withdrawal, employee termination
- Assign ownership — who initiates deletion, who verifies it was done
- Implement deletion procedures in your systems, including backups and archives
- Review annually — update when processes or legal requirements change
Note on anonymisation: Genuinely anonymised data falls outside GDPR's scope. If you can strip all identifying information so that re-identification is impossible even with additional data, the result is not personal data. Pseudonymisation alone is not sufficient — pseudonymised data remains personal data under GDPR.
Common mistakes
- A policy without deletion procedures — writing down retention periods but never actually deleting data when they expire
- Ignoring backups — backup tapes and cloud snapshots contain personal data; they must be covered by retention procedures
- Forgetting processors — your Data Processing Agreements must pass retention obligations to sub-processors and vendors
- One period for everything — a blanket "keep for seven years" policy rarely survives scrutiny across multiple data types with different legal bases
Does the retention schedule need to be published?
Your privacy notice must include retention periods or the criteria used to determine them (Articles 13(2)(a) and 14(2)(a)). Vague language like "as long as necessary" without specifics does not satisfy this requirement.
Can we keep data "just in case" we need it for litigation?
If specific litigation is reasonably anticipated, placing a legal hold on specific identified records is justifiable and should be documented. A general "keep everything" approach does not satisfy GDPR's storage limitation requirement.
Automate data lifecycle management
HubSecure Vault lets you set retention periods per record type — with automated deletion prompts, audit trails, and GDPR-ready documentation built in.
See it in actionReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.