Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Defining and documenting retention times for data sets


Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

  • the necessity of the data for its original processing purpose
  • implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
  • the legal effect of the contract or other legal action in civil matters
  • statutory limitation periods
  • criminal limitation periods

Describe your own process for evaluating retention periods.

Connected other frameworks and requirements:
5 luku, 21 §: Tietoaineistojen säilytystarpeen määrittäminen
5. Principles relating to processing of personal data
18.1.3: Protection of records
ISO 27001
PR.IP-6: Data destruction
A.7.4.2: Limit processing
ISO 27701
No items found.