Why are retention periods important?
Compliance with retention periods is necessary for organizations. On the one hand, you may not retain data longer than necessary, while on the other hand, certain laws require data to be retained for a certain period of time. It is therefore important to delve into this and organize retention periods properly within your organization. Here are three important reasons why:
1. Security and privacy
By keeping data for too long, you increase the risk of data breaches and unauthorized access. Under the General Data Protection Regulation (AVG), you are required to keep personal data no longer than necessary for the purpose for which it was collected.
2. Legal obligations
Various laws, such as the Tax Code, the Archives Act, and the Medical Treatment Agreement Act (WGBO), dictate how long you must keep certain records. Failure to comply with these rules can lead to penalties or legal problems.
3. Risks of noncompliance.
Failure to properly comply with retention periods can result in:
- Fines: Authorities such as the Personal Data Authority can impose large fines.
- Reputational damage: Leaking outdated data can damage customer and partner trust.
- Legal claims: Insufficient documentation can lead to problems in audits or lawsuits.
Overview of key retention periods
To make it clear, we have categorized the retention periods by category. This helps you quickly determine which rules apply to your organization.
Personal data (AVG/GDPR).
- Application data
Retention period: 4 weeks (without consent)
Legislation: AVG - Personnel files
Retention period: 2 years after leaving employment
Legislation: AVG - Copy ID proof
Retention period: Maximum 5 years after leaving employment
Legislation: AVG
Administration and Taxation
- Financial-administrative data
Retention period: 7 years
Legislation: Tax legislation - Invoices
Retention period: 7 years
Legislation: Tax legislation - Financial statements
Retention period: 7 years
Legislation: Tax legislation
Legal
- Contracts
Retention period: 5 to 20 years (depending on type)
Legislation: Civil Code - Warranty claims
Retention period: Up to 5 years after expiration
Legislation: Civil Code
Care
- Medical records
Retention period: At least 20 years after last contact
Legislation: WGBO - Patient files (academic)
Retention period: Up to 115 years after date of birth
Legislation: Archives Act - Psychiatric medical records
Retention period: Minimum 5 years after discharge
Legislation: WGBO - Work-related medical records
Retention period: Minimum 15 years after exposure
Legislation: Working Conditions Act - Research data
Retention period: Minimum 15 years after study
Legislation: EU Clinical Trials Regulation - Medical data workers in contact with hazardous substances
Retention period: Minimum 40 years
Legislation: Working Conditions Act
How do you determine what to keep and what to destroy?
Managing retention periods can be complicated. Here are three practical steps you can take to get a handle on your data management:
1. Establish a retention policy
Have a clear retention policy that meets the legal requirements and needs of your organization. This policy should specify what data will be kept, for how long, and when it will be destroyed.
2. Make use of tools and software
There are several tools available to help you manage retention periods. For example, these tools can automatically alert you when data needs to be destroyed or archived. Task management systems, for example, are great for this, in addition, they are also suitable for implementing an ISO management system, read all about this combination in the next blog.
3. Check regularly
It is important to periodically evaluate your data and delete outdated information. This prevents you from running unnecessary risks and allows for more efficient data management.
How we can help you ensure retention periods
To help you comply with retention periods, we offer a number of practical tools:
1. AVG scan
Our AVG scan helps you understand how your organization handles personal data and retention periods.
2. Template for retention policy.
Download our handy retention policy template and get started organizing your data management right away.
3. Customized advice
Do you have specific questions about retention periods or implementing a retention policy? Feel free to contact us for an introductory discussion.
Put today the first to compliance
Properly managing retention periods is necessary for compliance with laws, protecting privacy, and avoiding risk. Establishing a good retention policy and reviewing it regularly will keep your organization compliant, efficient and secure.
Have questions or want to get started right away? Download our retention policy template or contact us for an informal meeting. Together we'll make sure your organization is fully compliant!
