Storage limitation: “we keep everything forever” is illegal

Every piece of data needs an expiry logic. “Indefinitely, just in case” is not one — and asking for the retention period per data category is a request they must answer.

Storage limitation (Art. 5(1)(e)): keep personal data no longer than the purpose requires. The corollary in Art. 13(2)(a): they must tell you the retention period — or the criteria deciding it — for each purpose, up front. The honest patterns: invoices for the statutory tax years (national law fixes it); contracts for the contract plus limitation periods; rejected applications for weeks; CCTV for days; marketing data until you object or a defined inactivity window passes. The dishonest pattern: everything, forever, because deletion takes engineering effort and hoarding feels free. It is not free — every retained record is breach liability, and DPAs fine pure over-retention (dormant customer databases, decade-old logs) even absent any leak. Your moves: the access request already entitles you to retention information — add one line: “state the retention period or criteria per category of my data.” Vague answers (“as long as necessary”) fail Art. 13. Data past its own stated period: demand erasure, citing their policy against them. Dormant accounts you have abandoned are the practical case: erasure requests to old shops, apps and forums shrink your breach exposure more effectively than any password change.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority