The principle of storage limitation from GDPR means that a company must erase personal data, when the personal data no longer necessary to process. According to the principle of storage limitation, companies shall not store personal data longer than necessary to fulfill the purpose of the processing. In other words, the Controller must delete personal data after a period of time and not store it indefinitely. Also, it means that a company should not store personal data longer than required.
The main rule about erasure is that a company should delete personal data, when they are no longer necessary. The general data protection regulation sets out the principle of storage limitation in Article 5 (e) of the GDPR.
Erasure of personal data to comply with the principle of storage limitation
The Controller need to erase personal data regularly. For example, when the data is no longer necessary to process. A company often process personal data in received and sent e-mails. Therefore, a company should erase e-mails regularly.
A company may also store personal data in different and several storage locations. For example, business systems, local storage in a work computer, notes, work phone, servers, backup files, e-mail, cloud storage, etc.
In addition, the company needs to be able to prove that they comply with the GDPR and carry out thinning. For example, the controller can create a logbook and make notes in it, every time an erasure takes place. The Controller can thus note why the erasure takes place. And also note from which storage location it was deleted, how many personal data were erased, etc.
Companies should also create a logbook for personal data breaches. In some cases, a company must report personal data breach to a Supervisory Authority within 72 hours.