Artifact GuideEU GDPR

Retention and Erasure Schedule for EU GDPR

A GDPR retention schedule should identify each personal-data category, why it is kept, when it is erased or anonymised, and how erasure requests are handled without inventing one-size-fits-all retention periods.

Use it to connect storage limitation, Article 17 erasure, Article 19 recipient notices, and Article 30 records of processing activities.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This artifact turns GDPR retention and erasure obligations into a schedule structure. It does not assign sector retention periods. Instead, it shows the fields and checks needed to justify how long personal data stays identifiable, when erasure is due, when an Article 17 exception may preserve processing, and what evidence should be retained for accountability.

Section 1

Start with storage limitation, not a default number of years

Article 5(1)(e) requires personal data to be kept in identifiable form no longer than necessary for the processing purpose. A useful schedule therefore starts with the purpose and data category, then states the erasure or anonymisation trigger for that category.

Where a longer period is needed for archiving in the public interest, scientific or historical research, or statistical purposes, the schedule should separate that longer-use scenario from ordinary operational retention and identify the safeguards relied on under the GDPR.

  • List the processing purpose before the retention rule.
  • Define the personal-data category and the category of data subjects affected.
  • State whether the end action is deletion, anonymisation, aggregation, or continued restricted retention for a documented GDPR-compatible reason.
  • Record the system, backup, archive, and processor locations where the same data category exists.
  • Do not add sector retention periods unless a cited legal or policy source in the evidence record supports them.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 5(1)(e) provides the storage limitation principle and Article 5(2) provides accountability for demonstrating compliance.
Section 2

Build the schedule fields around Article 30

Article 30 requires controller records to include purposes, categories of data subjects and personal data, recipients, transfers where applicable, envisaged erasure time limits where possible, and a general description of security measures. Those fields are the minimum structure for a retention schedule that also supports a RoPA.

The Irish Data Protection Commission guidance warns against vague RoPA references such as pointing to an unavailable retention policy or saying data is kept under a policy without stating what the retention rule actually is. The schedule should be self-contained enough for an external reviewer to understand the retention position.

  • Controller or processor role and process owner.
  • Processing activity and purpose.
  • Categories of data subjects and categories of personal data.
  • Recipient categories, including processors and third-country recipients where applicable.
  • Envisaged erasure time limit or trigger for each data category.
  • Security measures relevant to retention, such as access controls, encryption, deletion controls, and backup handling.
  • Source for the retention rule, split between GDPR-required fields and helpful extra information.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 30 lists the controller and processor record fields, including envisaged erasure time limits where possible.
Data Protection Commission - RoPA under Article 30 GDPR
DPC guidance supports using granular RoPA entries, business-function ownership, retention periods by data category, and a self-contained record rather than inaccessible policy references.
Section 3

Route Article 17 erasure requests through the same schedule

Article 17 requires erasure without undue delay where one of its grounds applies, including where the data is no longer necessary for the original purpose, consent is withdrawn with no other legal ground, the data subject successfully objects, the data was unlawfully processed, erasure is required by Union or Member State law, or the data was collected from a child in relation to information society services.

The schedule should also preserve the Article 17(3) exceptions as decision fields, not as blanket excuses. If continued processing is necessary for a legal obligation, public-interest task, public-health reason, protected archiving or research purpose, or legal claims, record the exact basis, the data categories retained, and the restricted use that remains allowed.

  • Capture the request date, requester identity check, data categories in scope, and systems searched.
  • Map each data category to an Article 17 ground, an Article 17(3) exception, or a no-data-found outcome.
  • Pause routine deletion only where needed to complete a pending rights response or preserve a documented lawful retention need.
  • When public data must be erased, record reasonable technical steps taken to notify other controllers processing links, copies, or replications.
  • Keep the response rationale separate from the deleted personal data so evidence does not recreate the data that should be erased.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 17 defines erasure grounds, public-copy notification steps, and exceptions where processing may continue.
Section 4

Use rights handling controls to avoid erasing evidence too early

Article 12 requires controllers to provide information on action taken on Articles 15 to 22 requests without undue delay and in any event within one month, with a possible two-month extension for complexity or number of requests. The retention schedule should therefore flag data categories with very short retention windows so rights teams can preserve enough data to handle a request received before routine erasure completes.

Article 19 also requires communication of rectification, erasure, or restriction to recipients unless impossible or involving disproportionate effort. A retention schedule should identify recipient categories and processors so the rights team can decide who must be notified after an erasure action.

Does GDPR set a single retention period for all personal data?

No. The GDPR uses storage limitation and requires data to be kept no longer than necessary for the processing purpose. Article 30 also asks for envisaged erasure time limits where possible, but the specific period depends on the purpose, data category, and a documented source outside this generic schedule.

Can a team erase all evidence after completing an Article 17 request?

Not automatically. The personal data covered by a valid erasure ground should be erased without undue delay, but the team may keep a minimal accountability record showing the request date, scope, decision, response, recipient notifications, and the lawful reason for any data category that was not erased.

  • Add a rights-hold flag for data that may be deleted before an active request is answered.
  • Link each data category to the systems and teams that must search for access or erasure requests.
  • Track recipient notification status after erasure, including when notification is impossible or disproportionate.
  • Record reasons for not taking action and the complaint or judicial-remedy information supplied to the requester when applicable.
  • Avoid retaining full request payloads when a minimal audit record can prove timing, scope, decision, and response.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 12 supplies request-response timing and Article 19 supplies recipient-notification obligations after erasure or restriction.
Section 5

Evidence records the schedule should retain

The evidence record should prove that the retention rule exists, is tied to the processing purpose, has an accountable owner, and is implemented in systems and processors. It should not preserve unnecessary copies of personal data simply to show that personal data once existed.

Use the RoPA as the control point: if a processing activity changes, the retention schedule, Article 30 entry, processor instructions, rights workflow, and deletion test evidence should be reviewed together.

  • Current retention schedule version, approver, owner, and change history.
  • RoPA entry showing purpose, data-subject categories, personal-data categories, recipients, transfers where applicable, erasure time limits where possible, and security measures.
  • Deletion or anonymisation control evidence for live systems, backups, archives, and processors.
  • Article 17 decision logs with data categories, grounds, exceptions, action taken, response date, and recipient-notification outcome.
  • Exceptions register for continued processing, limited to the data categories and purposes that justify the exception.
  • Periodic review evidence showing obsolete processing activities are removed or archived for accountability rather than left active.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 5(2) accountability and Article 30 records support evidence for retention and erasure controls.
Data Protection Commission - RoPA under Article 30 GDPR
DPC guidance supports maintaining the RoPA as a living, self-contained record with process owners, granular data categories, and retention information.
Recommended next step

Use this artifact to connect RoPA fields, erasure requests, and deletion evidence

Sorena can help map processing activities to retention triggers, Article 17 decision records, recipient notifications, and evidence needed to show that deletion controls work.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about storage limitation, Article 17 erasure, Article 30 RoPA fields, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your retention schedule fields, erasure workflow, and evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 5(2) accountability and Article 30 records support evidence for retention and erasure controls.
"able to demonstrate compliance"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.