The GDPR have imposed a number of obligations on data controllers (i.e. “data owners”), a good number of which derive from rather general and seemingly trivial principles, which are, sadly enough, difficult to comply with in practice. These concern, for example, the correctness of the processed data, the adequacy of their scope in relation to the purpose of the processing, or the so-called “temporality” principle, namely the temporary limitation of the personal data retention.
The principle behind this is simple – we should not retain data for longer than needed. Moreover, when processing data, we should always endeavour to keep the retention period as short as possible. The GDPR legislators made a simple assumption: the purpose of the processing is no longer applicable -> the data becomes redundant -> it should be deleted immediately
To exemplify, if your day-to-day work involves dealing with personal data ...
… in sales – pay attention to whether you are retaining time-barred contracts or invoices from X years ago that are no longer needed, even for bookkeeping purposes.
… in marketing – perhaps your department has outdated databases of potential customers, lists of participants in competitions that have long since taken place, or your computer retains a list of people who have signed up to a newsletter yet unsubscribed after some time.
…in HR – make sure that job applicants’ data is deleted at the established time limits.
… at the reception desk/office – every document, database or information suspected of no longer having a purpose for the processing of such data should be brought to your attention.
Note! It is your employer, in capacity as data controller, who is obliged to exercise control over the personal data being processed and to set time limits for deletion and periodic review of the data. Under no circumstances can you decide to delete the data yourself.
Therefore, what can your employer expect from you? The data controller ensures compliance with the organisation’s data processing principles, while the direct handling of the data, as a matter of principle, is carried out by the employees themselves, including you. If a certain set of data gives you cause for concern, please bring the issue to the attention of your superior or the data protection supervisor at your workplace.