GDPR data retention: how long are you allowed to keep data?

One of the most frequent questions our clients ask is simple: "how long am I allowed to keep data?". Behind it lies a very common SMB habit — keep everything, forever, "just in case we need it". For years that looked like prudence. In 2026 it is, in fact, a compliance and security risk.

Every dataset you hold without a valid reason is one more attack surface, one more storage cost and one more potential fine. This guide shows you how long you are legally required to keep certain records, how long you may keep the rest, and how to delete properly — without the jargon.

What GDPR says: the storage limitation principle

GDPR does not give you a fixed number of years. Article 5(1)(e) — the "storage limitation" principle — requires personal data to be kept only as long as necessary for the purpose it was collected for. In other words: once the purpose is gone and there is no legal basis, the data must be deleted or anonymised.

In practice, retention is the result of a tension between two forces. On one side, the minimisation principle pushes you to delete as soon as possible. On the other, other laws (accounting, tax, employment) require you to keep certain records for years. A correct retention policy finds, for each data category, exactly the intersection of the two.

How long you MUST keep data (legal terms in Romania)

For records where the law imposes a minimum term, that term overrides the GDPR minimisation principle. The benchmarks most often relevant to a Romanian company:

• Mandatory accounting registers and supporting documents: 5 years, counted from 1 July of the year following the financial year (Accounting Law 82/1991, amended by Law 36/2023).
• Payroll records: 5 years — reduced from the previous 50-year threshold as of 1 January 2023.
• Annual financial statements: 10 years.
• Contract-related documents: for the duration of the contract plus the limitation period for any disputes (generally 3 years for claims, longer in special cases).
• Employment-relationship data: for the duration of employment plus the terms required by labour and tax law.

Mind the payroll transition: the cut from 50 to 5 years does not mean you can immediately throw out everything older. Documents used to establish pension rights must be handled with care. When unsure, ask your accountant or lawyer before deleting.

How long you MAY keep data (when there is no legal obligation)

For data that does not fall under a legal archiving obligation, the rule flips: you do not ask "how long can I keep it", but "why would I still keep it". A few typical cases:

• Data collected on the basis of consent (newsletter, marketing): delete it when the person withdraws consent and no other legal basis applies.
• Leads and contact-form submissions without a contract: set a reasonable term (e.g. 12-24 months after last contact) and delete automatically afterwards.
• CCTV recordings: usually days, not months — long-term retention must be justified separately.
• Unsolicited CVs: keeping them beyond the recruitment process needs a clear basis (e.g. consent for a talent pool).

The right to erasure — what authorities now check

Beyond automatic deletion when a term expires, you also have a reactive obligation: the right to erasure ("the right to be forgotten", Article 17). When a person requests deletion of their data and there is no basis to keep it, you must delete it without undue delay — from every system where it lives.

This topic was at the centre of the European Data Protection Board (EDPB) coordinated enforcement action for 2025, whose report was adopted on 18 February 2026. 32 supervisory authorities took part, and 764 controllers — from SMEs to large companies — responded. The findings are relevant to any business:

• A lack of clear internal procedures for handling erasure requests.
• Insufficient transparency towards data subjects.
• Use of ineffective anonymisation techniques as a substitute for actual deletion.
• The absence of clearly defined retention periods.
• Technical limitations preventing effective erasure from backup systems.

The last point is the one companies most often ignore: if you delete a customer from the production database but they stay in backups for years, the erasure is incomplete. The answer is not to stop backing up, but to have a backup retention policy and a documented procedure: data deleted from production also "expires" from backups as old copies are rotated. This is where data protection (backup and retention) and GDPR compliance meet.

The fines are not theoretical (ANSPDCP 2025-2026)

The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) actively imposes penalties. In 2025 it issued 105 fines, totalling roughly 2.56 million lei (around 511,000 euros), of which 96 under GDPR. And in the first four months of 2026 it already applied 52 fines, worth around 1.13 million lei (around 230,500 euros).

Many of these penalties target exactly what we discussed here: keeping data without a basis, failing to react to individuals’ requests, insufficient security of the data kept. For an SMB, a single fine can exceed the cost of a retention policy done right from the start.

How to build a retention policy that holds

A useful retention policy is not a 40-page document nobody reads, but a set of rules actually applied. The path we recommend:

1. 1Inventory the data: what categories you hold, where they are (apps, files, email, backups), who has access.
2. 2Map the purpose and legal basis for each category — without a purpose and a legal basis, the data should not exist.
3. 3Set a retention term per category, at the intersection of the legal obligation and the minimisation principle.
4. 4Automate deletion: as far as possible, data expires by itself rather than relying on someone "remembering".
5. 5Handle backups separately: define copy retention and the procedure by which deletions propagate as old backups are rotated.
6. 6Document everything: a written, justified policy is the first evidence an authority asks for during an inspection.

If you want retention not just on paper but enforced technically — with tested backups, automated retention and compliant deletion — we can build it together. See our data protection service or book a call and we start from your real inventory.

Conclusion

Correct data retention is not about keeping as much as possible, but about keeping exactly as much as needed — and being able to prove why. Companies that get this in order win on three fronts at once: they reduce fine risk, shrink their attack surface and cut needless storage costs. And when an inspection or an erasure request arrives, they respond in hours, not in panic.