Reply to post: "There is an explicit exemption in GDPR for data needed to fulfil legal obligations"

Say GDP-aaaR: UK's Information Commissioner pours £275k fine into London pharmacy's teaspoon

Mike 137 Silver badge

"There is an explicit exemption in GDPR for data needed to fulfil legal obligations"

There isn't an "exemption" (explicit or otherwise) as it's not needed anyway. Retention can be on any basis you choose provided you justify, document and adhere to that basis. You're even allowed to describe the basis on which you decide retention periods rather than specifying a finite duration (e.g. "until no longer required for taxation claims").

In event of challenge, the supervisory authority should however be likely to agree that your retention criteria are reasonable, so you do have to be specific whichever of the two approaches to defining and documenting it you choose to adopt.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020