How Long Can Companies Store Personal Data? EU, UK & US Rules

This guide covers the three main regulatory environments where retention obligations arise: the EU/EEA under GDPR, the United Kingdom under UK GDPR, and the United States under its sector-specific federal laws and state privacy legislation. It addresses how each framework treats retention periods by data category, when statutory law fixes those periods, how to build a compliant data retention policy, and the specific obligations that apply to contracts.

The GDPR Storage Limitation Principle

The storage limitation principle, set out in GDPR Article 5(1)(e), requires companies to keep personal data only as long as necessary for the stated processing purpose. After that point, the data must be deleted or anonymised. It works in tandem with data minimisation: less data, held for less time, is the GDPR default.

Companies cannot store personal data indefinitely. Ongoing retention requires a continuously valid processing purpose or a statutory obligation that sustains the legal basis. Where neither exists, data must be removed. Consent does not endure permanently: a data controller must periodically reassess whether the original lawful basis still applies.

Retaining personal data beyond the defined period exposes organisations to GDPR enforcement under Article 83, with fines reaching up to €20 million or 4% of global annual turnover. Individuals hold a right to erasure under Article 17 once the processing purpose lapses. Sound contract compliance practice treats retention as a standing obligation, not a periodic review.

Data Retention Under GDPR (EU/EEA)

GDPR applies to any organisation established in the EU/EEA, and to any organisation anywhere in the world that processes the personal data of EU/EEA residents. It does not publish a fixed retention schedule. Industry practice and statutory law have produced broadly accepted retention ranges by data category. The periods below represent typical guidance for EU-established companies; individual circumstances and member state implementations may require adjustment.

Employment and HR Records

Employee personal data should be retained for the duration of employment plus the applicable statutory limitation period: three to six years in most EU member states, depending on national employment and contract law. Payroll and tax records are generally kept for six to seven years under national tax authority rules. Employment contracts and associated HR documents follow this same framework.

Disciplinary records generally warrant one to five years depending on severity. Records for unsuccessful job applicants carry a much shorter period: six to twelve months, after which prompt deletion is required. Each employee privacy notice should state the specific retention periods that apply to each category of data the employer holds.

Customer and Contractual Data

Customer data can be stored for the duration of the contract plus the applicable limitation period for contractual claims: six years in most common law jurisdictions, three years in many civil law systems. After that window, the lawful basis of contract performance under GDPR Article 6(1)(b) no longer justifies retention. Personal data within contracts should then be deleted or anonymised.

The contract document and the personal data within it carry separate retention logic. An archiving or audit obligation on the contract does not automatically justify retaining all associated personal data. Organisations building a digital contract storage framework should address this distinction explicitly in their retention policy.

Financial Records and Tax Data

Tax records containing personal data must generally be retained for six to seven years under most EU member state tax law, a statutory minimum that takes precedence over GDPR’s storage limitation principle. Many EU jurisdictions mandate seven to ten years under VAT and corporate tax rules. Financial services add further requirements through AML and KYC obligations: five to seven years for transaction records in most jurisdictions.

These statutory periods are a hard floor. A company cannot delete financial records containing personal data before the statutory minimum has elapsed, even if the individual submits an erasure request. The right to erasure under GDPR Article 17(3)(b) contains an explicit exception for legal obligations. Statutory retention requirements fall squarely within that exception.

Special Category Data

Special category data under GDPR Article 9, including health information, biometric data, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, and trade union membership, carries higher processing conditions. It warrants shorter retention periods in most contexts. Occupational health records are an exception: some EU member states impose extended retention periods for workers exposed to hazardous substances, with national regulations in certain jurisdictions requiring records for up to 40 years.

Where consent is the lawful basis for processing special category data, it must be reviewed periodically. Withdrawal of consent triggers an immediate obligation to delete, unless another lawful basis applies. Organisations should audit their special category data holdings at least annually, confirming that each record still has an active legal basis for retention.

Data Retention Under UK GDPR

The United Kingdom retained the EU GDPR as domestic law through the Data Protection Act 2018, amended post-Brexit to create a standalone UK framework. This is referred to as UK GDPR and is administered by the Information Commissioner’s Office. The storage limitation principle applies in identical terms to the EU framework: personal data must not be kept longer than necessary for the stated processing purpose.

UK statutory retention periods align closely with EU practice in most categories. Employment records are held for six years after employment ends under the Limitation Act 1980 for contractual claims; payroll and tax records for six years under the Taxes Management Act 1970; and accounting records for six years at private companies and ten years at public companies under the Companies Act 2006. Financial services firms follow FCA record-keeping rules, which vary by product type but often require five to seven years.

Occupational health records in the UK follow COSHH regulations: employers must retain records for workers exposed to certain hazardous substances for up to 40 years. The right to erasure exists under UK GDPR Article 17 on the same terms as EU GDPR, with the same legal obligation exception: statutory retention obligations override individual erasure requests during the mandatory period.

Divergence from EU GDPR Since Brexit

The UK has diverged from EU GDPR in certain areas since 2021, though retention obligations are not the primary area of difference. The most material divergences concern data transfer mechanisms: the UK issues its own adequacy decisions and uses International Data Transfer Agreements rather than EU Standard Contractual Clauses. Enforcement falls to the ICO, not EU supervisory bodies or the European Data Protection Board.

ICO enforcement powers mirror the EU framework proportionately. Fines can reach up to £17.5 million or 4% of global annual turnover for the most serious violations. Companies operating in both the EU and UK face parallel compliance obligations: the same processing activity must satisfy both the ICO and the relevant EU supervisory authority, and the two regulators operate entirely separate enforcement regimes.

Data Retention Under US Law

The United States has no single federal data retention framework equivalent to GDPR or UK GDPR. Retention obligations arise from a patchwork of federal sector-specific laws and, more recently, state-level privacy legislation. A company’s obligations depend on what data it holds, which industry it operates in, and which states its customers reside in.

Key federal retention requirements cover specific sectors. HIPAA requires covered entities and business associates to retain protected health information for six years from creation or last effective date. The Sarbanes-Oxley Act requires seven years for audit workpapers and financial records at public companies. The Fair Labor Standards Act requires payroll records for three years. SEC Rule 17a-4 requires broker-dealers to retain certain records for six years.

The Fair Credit Reporting Act requires consumer reporting agencies to retain most negative consumer information for seven years. These obligations are sector-specific: a company with no health data, no listed securities, and no consumer credit function may face no federal minimum retention requirement. In the US, the absence of a sector-specific law means no statutory floor applies.

State-Level Privacy Laws: California and Beyond

California’s CPRA (the amended CCPA) does not impose fixed retention periods. It requires companies to disclose retention periods in their privacy notice, to process data only as long as reasonably necessary for the disclosed purpose, and to honour consumer deletion requests subject to defined exceptions. This mirrors the storage limitation logic of GDPR without mandating specific periods.

More than a dozen US states have enacted comprehensive privacy laws since 2023, including Virginia, Colorado, Connecticut, Texas, and Florida. Most follow the CCPA/CPRA model: purpose-based retention, disclosure obligations, and consumer deletion rights. None impose fixed retention minimums. Companies operating nationally require a state-by-state review of applicable obligations, as the scope of deletion rights and the exceptions to them vary across frameworks.

The Key Distinction from GDPR

Under GDPR and UK GDPR, the storage limitation principle is a universal baseline: it applies to all personal data, regardless of category or industry. In the US, no equivalent default exists. Retention obligations only arise where a specific federal or state law applies to the data type and the company’s activity. A company with no sector-specific obligation may lawfully retain personal data indefinitely under federal law.

This distinction is narrowing. State privacy laws are extending purpose-based limitations to more companies, and federal privacy legislation remains under active discussion. Companies with US operations should monitor state-level developments: the gap between US and GDPR-style retention requirements is closing in states with comprehensive privacy frameworks, even where the federal baseline remains sectoral.

Retention Periods by Jurisdiction: Comparison

The table below summarises broadly accepted retention ranges across the three frameworks for the most common data categories. Statutory minimums apply where stated; all other periods represent standard practice informed by limitation periods and regulatory guidance.

When Statutory Law Determines Retention Periods

Statutory law sets minimum retention periods that companies must observe regardless of GDPR’s storage limitation principle. These requirements fall under the legal obligation lawful basis, Article 6(1)©, which overrides individual erasure requests during the mandatory period. Employment law, tax law, financial regulation, and health and safety legislation are the primary areas affected.

The practical consequence is direct. During a statutory retention period, a data controller can lawfully decline an individual’s erasure request. The exception in GDPR Article 17(3)(b) preserves this right: personal data held under a legal obligation is outside the scope of the right to erasure for the duration of that obligation.

Multi-jurisdiction companies face a further layer of complexity. A business operating across the EU cannot apply a single retention period to each data category, as member state implementations of EU directives vary. The most stringent applicable national law governs in each territory. Jurisdiction-specific retention schedules are the only reliable approach for organisations with cross-border data holdings.

In the UK, the same principle applies under UK GDPR. Statutory obligations under the Limitation Act 1980, Taxes Management Act 1970, Companies Act 2006, and FCA rules constitute legal obligations that override individual erasure requests during the mandatory period. The ICO’s guidance confirms that data held under a statutory requirement falls outside the scope of the right to erasure under UK GDPR Article 17(3)(b).

In the US, federal retention requirements under HIPAA, SOX, FLSA, FCRA, and SEC rules function as mandatory minimums that cannot be shortened by a consumer’s deletion request. State-level privacy laws including CCPA/CPRA explicitly carve out records subject to legal obligations from consumer deletion rights. Where a statutory floor exists in any jurisdiction, it cannot be reduced by an individual’s request.

How to Build a Data Retention Policy

A data retention policy is an internal governance document that specifies how long each category of personal data is held, the lawful basis for that period, and the action taken when the period expires. Without one, a data controller cannot demonstrate compliance under GDPR’s accountability principle, Article 5(2). The three steps below describe the minimum required structure.

Step 1 — Conduct a Data Audit

Before retention periods can be set, the organisation must know what personal data it holds, where it is stored, for what purpose, and on what lawful basis. A data audit maps this across every system: CRM, HRIS, email platforms, shared drives, and contract management tools. The output is a data inventory that becomes the foundation of the retention schedule.

Many organisations discover their highest-risk data during this step: unstructured holdings in email threads, shared drives, and legacy files that carry no defined retention period and no automated controls. Contracts stored outside a centralised platform are a common source of undeclared personal data. Data without a defined period and a clear owner is the most likely source of a retention breach.

Step 2 — Map Purposes and Legal Bases

For each data category in the audit, document the processing purpose and the lawful basis. The lawful basis determines the maximum permitted retention period. Contract performance ends when the contract and its claims period expire. Legal obligation is fixed by statute. Legitimate interests requires regular reassessment and does not provide an open-ended retention right.

Where multiple purposes apply to the same data, the longest applicable period governs for the data elements covered by that purpose. An employment contract serves both a contractual and a statutory tax purpose; the periods differ by record type. Any third-party processor handling this data must operate under a data processing agreement that reflects the controller’s defined retention periods.

Step 3 — Set Periods, Automate, and Assign Ownership

The output of this process is a retention schedule mapping each data category to a defined period, an end-of-retention action, and a named owner. A policy without operational enforcement has no value: manual deletion schedules fail at volume. Retention must be built into system-level controls, including automated deletion workflows, expiry alerts, and CRM data purge rules.

The retention policy must be reviewed at least annually, and updated when processing purposes change, new data types are introduced, or legislation changes. GDPR’s accountability principle under Article 5(2) requires documentary evidence of this review. An undated or never-revised policy is difficult to defend in an enforcement investigation.

What Happens When the Retention Period Ends

Personal data must be securely deleted or anonymised once the retention period expires. Retaining data beyond this point without a renewed justification breaches GDPR’s storage limitation principle and constitutes a reportable compliance failure. The controller must act promptly: continued storage without a valid purpose is itself a breach.

Secure Deletion

Secure deletion means more than moving data to a recycle bin or restricting access. It requires cryptographic erasure, overwriting, or physical destruction of storage media, depending on data sensitivity. Each deletion event should be logged: the date, the data category, and the system from which it was removed. This log is the compliance evidence the accountability principle requires.

Deletion across distributed systems is where most organisations fall short. Removing data from a primary database while leaving it in backups, disaster recovery copies, or archived email folders is not GDPR-compliant. Backup retention schedules must align with data retention schedules. If a backup holds data that should have been deleted, that backup is itself a retention breach.

Anonymisation as an Alternative to Deletion

The difference between deleting and anonymising personal data is that deletion removes it entirely, while anonymisation strips all identifying elements. Once genuine anonymisation is complete, the residual data falls outside GDPR’s scope and can be retained indefinitely for analytics, research, or reporting. The identifying information is gone; what remains is not personal data under the regulation.

Anonymisation must be distinguished from pseudonymisation. Anonymisation is irreversible: once identifying elements are removed and no re-identification key exists, the data is no longer personal data under GDPR. Pseudonymisation replaces identifiers with pseudonyms, but the data remains personal data if re-identification is possible. Only genuine anonymisation removes information from GDPR obligations entirely.

Contracts Contain Personal Data — Retention Applies

Contracts contain significant volumes of personal data: signatory names, employee information, customer details, and personal guarantor data in supplier agreements. This data carries the same GDPR retention obligations as any other personal data the company holds. Most compliance frameworks treat contracts as legal documents and overlook the personal data dimension.

A company must retain the contract document for the statutory limitation period. This obligation does not automatically justify retaining all associated personal data beyond the processing purpose. The contract and the personal data within it have separate retention logic under GDPR. Each must be assessed independently when building a retention schedule.

Where a company uses a third-party platform for contract storage, a data processing agreement with that processor must specify retention periods and deletion or anonymisation procedures for personal data within contracts. The data controller cannot delegate this responsibility to the processor. It remains with the controller regardless of which system holds the data.

How a Contract Management Platform Supports GDPR Retention Compliance

For most organisations, contracts containing personal data sit in email threads, shared drives, and disconnected systems. Tracking retention periods across those holdings manually is not realistic at scale. Enforcing deletion requires knowing what exists, where it lives, and when the retention period for each contract expires. Without a centralised system, none of this is auditable.

Miramis is a GDPR-native contract lifecycle management platform. Its contract repository supports automated retention tracking, metadata tagging, and audit-ready storage for every contract in the organisation’s portfolio. Legal and compliance teams can apply retention schedules at the contract level and trigger review workflows as expiry dates approach.

PLAI, Miramis’s AI contract agent, extracts and tags metadata from uploaded contracts automatically. This includes data relating to contracting parties: the personal data most commonly missed in retention audits. The platform’s ISO 27001 compliant CLM architecture and SOC 2 certification meet the security requirements for organisations managing personal data in contracts.

Manage Data Retention Without Losing Control of Your Contracts

Most companies know they have data retention obligations but lack the systems to enforce them consistently across their contract archive. If your organisation manages contracts on behalf of customers, employees, or suppliers, book a demo to see how Miramis handles retention tracking, expiry alerts, and GDPR-compliant contract storage in practice.