Lesson 4The GDPR principles of data protection
- Notion 26 - The importance of the personal data processing principles
- Notion 27 - First GDPR principe: lawfulness, fairness, transparency
- Notion 28 - Second GDPR principle: purpose limitation
- Notion 29 - Third GDPR principle: data minimization
- Notion 30 - Fourth GDPR principle: accuracy
- Notion 31 - Fifth GDPR principle: storage limitation
- Notion 32 - Sixth GDPR principle: integrity and confidentiality.
- Notion 33 - Seventh GDPR principle: accountability
- Notion 34 - Review of the main concepts.
Notion 31
Fifth GDPR principle: storage limitation
Target skills
Principle 5 - Storage Limitation
As we mentioned earlier, data protection regulations protect individuals' personal data by giving them more control over their personal online information. It also holds organisations to account if that personal data is processed in an unauthorised and harmful way. One of the ways to minimise risk is through time, i.e. the storage of data has an expiry date. For this reason, an important principle called "storage limitation" has been included in the GDRP.
What is storage limitation?
The storage limitation principle refers to the period of time an organisation has to retain an individual's personal data. When this period expires, organisations should be responsible for deleting the personal data held. Although the GDRP law does not set specific time limits for different types of data, it does require that organisations set these time limits based on the purpose of the processing, in other words, organisations should determine the period of time for which an individual's personal data will be kept
Again, personal data should be deleted unless there is a reason to keep it. For example, a company may keep some personal data about a former customer to protect against possible complaints or legal claims, but to what extent does it need to keep records of that relationship after a certain period of time and after the business relationship has ended?
To better understand this concept, here is another example that illustrates this case.
"A bank holds personal data about its customers. This includes the address, date of birth and mother's maiden name of each customer. The bank uses this data as part of its security procedures. It is reasonable for the bank to keep this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may still need to keep some of this data for a certain period of time for legal or operational reasons." (ICO, 2022).
To summarise the storage limitation principle look at the following table:
References:
(ICO, 2022). Principle (e): Storage limitation. ICO - Information Commissioner's Office. Retrieved from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/