How Long Should Authorisations to Process Personal Data Be Retained?

ANSWER

In light of the accountability principle (Article 5(2) GDPR) and the storage limitation principle (Article 5(1)(e) GDPR), it is not appropriate for data protection documentation — such as authorisations to process personal data, training attendance records, or data processing agreements — to be retained by data controllers indefinitely. Controllers should also apply GDPR principles to personal data contained in such documentation, and in particular should delete it without delay once it is no longer necessary for the purpose for which it was collected. It should, however, be noted that deleting personal data is a separate matter from the obligation or necessity of retaining certain documents within an organisation.

If a data controller no longer has a legal basis for processing personal data for a specific purpose, but retention of the documentation remains necessary, the general rule is that the data should be anonymised or pseudonymised and the documentation retained in a form that does not contain personal data enabling the identification of a natural person.

In such a case, the data controller will be able to demonstrate, for audit purposes, that persons acting on its behalf were duly authorised — i.e. that they held authorisations. By establishing that personal data contained in authorisations will be anonymised upon the expiry of the period covered by the authorisation, the controller will be able to retain the documentation for potential evidentiary purposes in the future.