The principle of limited retention of personal data is provided for by the RGPD and the Data Protection Act.
The data lifecycle
For the same treatment, personal data continues in successive phases. We speak of the “life cycle” of personal data.
A / This cycle has three phases:
1-Storage in active base
This is the time necessary to achieve the objective (purpose of the processing) which justified the collection / recording of the data. For example, in a company, the data of an unsuccessful candidate will be kept for a maximum of 2 years (unless he requests its deletion) by the human resources department.
In practice, the data will then be easily accessible in the immediate working environment for the operational departments which are in charge of this processing (eg the human resources department for recruitment operations);
2- Intermediate archiving
Personal data is no longer used to achieve the objective set (“closed files”) but still presents an administrative interest for the organization (eg management of a possible dispute, etc.) or must be kept to respond to a request. legal obligation (for example, billing data must be kept for ten years under the French Commercial Code, even if the person concerned is no longer a customer). The data can then be consulted on an ad hoc basis and motivated by specifically authorized persons;
Due to their "value" and interest, certain information is permanently and permanently archived.
Unlike conservation in an active base, the last two steps are not systematically implemented. Their necessity must be evaluated for each treatment, and, for each of these phases, a sorting will be made between the data.
B / Identification of the retention period of the treatments
The definition of the retention period is part of the compliance analysis that the manager must carry out for its processing.
In some cases, the retention period is set by regulations (for example, article L3243-4 of the Labor Code requires the employer to keep a duplicate of the employee's pay slip for 5 years).
However, for many data processing operations, the retention period is not fixed by a text. It is then up to the person in charge of the file to determine it according to the purpose of the processing.
C / Tools to help define durations
As part of its mission to support professionals, the CNIL has developed tools to help identify the periods applicable to data retention, as well as a guide to facilitate the implementation of this principle.
These tools are intended for all professionals, whatever their sector (public or private) and whatever the size of their structure.
1- A practical guide
The practical guide to retention periods answers questions frequently asked by professionals, both on the principle of limiting the retention periods and on its implementation.
It also presents the “retention period repository” tool, in terms of content and use.
Developed in partnership with the interministerial service of archives of France (SIAF), this practical guide explains how to articulate the obligations of the GDPR and those imposed by the Heritage Code.
2- Repositories of retention periods
The objective of these repositories is to facilitate the search for the relevant duration, carried out by the data controller.
In the form of tables, they present, for the most recurrent processing operations in the sector concerned, the stages in the life of the data (active database, or even intermediate archiving).
The durations mentioned for each phase of the data's life are:
- or mandatory, because imposed by a legislative or regulatory text;
- or recommended with regard to the CNIL doctrine (old simplified standards or single authorizations, sectoral benchmarks, recommendations, etc.), they then constitute a point of reference from which the data controller can deviate, provided that his choice is documented.
This tool was designed as a working basis, from which the controller can carry out his own analysis, depending on the specifics of the processing concerned and the specific context of the structure.
D / The right questions to ask yourself
How long do I really need the data to achieve the goal?
Do I have legal obligations to keep the data for a certain period of time?
Do I have to keep certain data in order to protect myself against possible litigation? Which ones?
Until when can I assert this legal action?
What information should be archived? For how long ?
What are the data deletion rules.
What are the data archiving rules?