GDPR documentation retention — how long should you keep evidence for a UODO inspection?

ANSWER

In this case, the answer should be analogous to the one given in the context of retaining documentation relating to personal data breaches.

The GDPR does not specify directly how long breach documentation must be retained. However, according to the Guidelines of the European Data Protection Board (EDPB), where such documentation contains personal data, the controller is obliged to determine an appropriate retention period on the basis of the general principles of data processing — in particular purpose limitation, data minimisation and storage limitation — and taking account of the legal basis for processing.

Under Article 33(5) GDPR, the controller must document all personal data breaches and be able, at the request of the supervisory authority, to demonstrate compliance with that provision. This obligation also forms part of the broader principle of accountability (Article 5(2) GDPR).

When determining retention periods, it is also worth referring to national law. The Act of 10 May 2018 on the Protection of Personal Data refers, in matters of administrative proceedings, to the Code of Administrative Procedure. The latter (Article 189g of the KPA) provides that an administrative monetary penalty may not be imposed after five years from the date of the breach of law or the occurrence of its effects. This may constitute a rational point of reference when determining retention periods for documentation relating to breaches that contain personal data.

Where, however, documentation does not contain personal data, UODO — in accordance with the latest recommendations contained in its guidance — advocates retaining it for as long as possible, given its evidential and analytical significance.