Agnes standing next to three filing cabinets in three colors for HR, Retail and Accounting, each with a different timer

Data Retention Periods by Sector: How Long to Keep Personal Data in HR, Retail and Accounting

GDPR, Compliance

One of the most common questions from Dutch SMBs is: "How long do I actually have to keep personal data?" GDPR does not give you a ready-made answer. Instead, Article 5(1)(e) requires you to define a retention period yourself and be able to justify it. That is the storage limitation principle.

Dutch sector-specific legislation adds a concrete layer on top. For certain types of records, statutory law prescribes a minimum or maximum retention period. For others, tax law and GDPR pull in different directions. This article gives you sector-by-sector answers for HR, retail, and accounting, with direct references to the applicable laws.

Why Retention Periods Differ by Sector

GDPR requires that personal data is not kept "for longer than is necessary for the purposes for which the personal data are processed." That is a principle, not a number. The period depends on the purpose of the processing.

Dutch sector legislation translates that principle into concrete periods. The General Tax Act (Algemene wet inzake rijksbelastingen, AWR) requires businesses to retain financial records for 7 years. That obligation overrides any shorter period that GDPR alone might allow. Medical records, under the Medical Treatment Agreement Act (Wet op de geneeskundige behandelingsovereenkomst, Wgbo), must be kept for 20 years regardless of whether the treatment purpose is long past.

The challenge for SMBs is that a single personnel file can contain multiple data types, each governed by a different law with a different retention period. A well-maintained processing register lets you track those periods per processing activity.

Retention Periods in HR

Job Application Data

The selection procedure ends the moment you hire or reject a candidate. From that point, you may retain the data of rejected candidates for a maximum of 4 weeks. This limit derives from the GDPR proportionality principle: the purpose of the processing (selecting for the open position) no longer exists.

Want to keep a candidate in consideration for future openings? You need explicit consent from the candidate. With that consent, you may retain for a maximum of 1 year. At the end of that period, delete the full CV and retain only name, contact details, and a brief profile note.

Without consent, a hard deletion obligation applies after 4 weeks.

Employment Contract and Personnel File

During the employment relationship, retain the full personnel file. After termination, Article 28 of the Wage Tax Act (Wet op de loonbelasting, Wet LB) imposes a 2-year retention obligation. The employer must keep payroll and related personnel data available for the Dutch Tax Authority (Belastingdienst) during that window.

Note: elements of the personnel file that also constitute payroll records have a longer retention period under the AWR rather than the Wet LB (see below).

Payroll Records

Salary slips, vacation balances, expense reports, and all other payroll-related documents fall under the fiscal retention obligation in Article 52 of the AWR. The period is 7 years, calculated from January 1 of the year following the financial year to which the records relate.

This obligation extends to the personal data contained in those documents. You cannot retain the financial figures while deleting the associated name and citizen service number (BSN) after 2 years.

Sick Leave and Re-integration Records

Under the Work and Income (Capacity for Work) Act (Wet verbetering poortwachter), sick leave records and re-integration files must be retained for 2 years after the end of the sick leave period or re-integration process. This period exists to cover potential employment disputes and review by the Employee Insurance Agency (UWV).

Important constraint: employers may not store medical diagnoses or clinical information. You retain only the factual record (date and duration of absence) and the steps taken in the re-integration process. Medical information stays with the occupational physician.

Retention Periods in Retail

Customer Data and Purchase History

No statutory minimum exists for customer data held by a webshop or physical retailer. GDPR requires proportionality: retain data for as long as the customer relationship is active, plus a reasonable period afterwards for customer service, returns, and warranty claims. Standard practice is the relationship period plus a maximum of 2 years after the last purchase.

For loyalty programme members: retain for the duration of membership plus 1 year after cancellation.

After those periods, you must actively delete. Passively leaving data in place is a GDPR violation.

Order Data (Tax Records)

Even if you delete a customer profile after 2 years, the associated order records must be retained for 7 years under Article 52 AWR. Invoices, payment records, and order confirmations contain personal data (name, address, payment details) that you must be able to produce for the Tax Authority.

The practical solution: separate marketing data from fiscal records. Delete marketing profiles after 2 years. Archive fiscal order records in a restricted system for the full 7 years.

CCTV Footage

For retail camera surveillance, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) uses 4 weeks as the standard maximum retention period. There is no specific statute prescribing this period, but the AP applies it as a norm during supervision.

If a specific incident has occurred and the footage constitutes evidence, you may retain the relevant footage for the duration of the investigation or legal procedure. In that case, retain only the relevant segments, not all footage from the period.

Retention Periods in Accounting

Invoices and Financial Records

Invoices, purchase orders, bank statements, and all other financial administrative documents must be retained for a minimum of 7 years under Article 52(1) AWR. The 7-year period starts on January 1 of the year following the financial year. An invoice dated November 2025 must therefore be retained until December 31, 2032.

All personal data in those documents, including client and supplier names, addresses, and VAT numbers, falls under the same period. You cannot anonymise them earlier.

Annual Accounts

Annual accounts are subject to a longer retention period than other financial records. Under Article 10 of the Dutch Civil Code (BW Boek 2), the retention period is 10 years from the date of adoption. This is a hard statutory minimum for all legal entities that are required to prepare annual accounts.

Tax Returns

Tax returns and all supporting documentation fall under the 7-year period of the AWR. This includes VAT returns, corporate income tax returns, and their accompanying schedules.

Client Files

For accounting firms and bookkeeping practices, the standard retention period is 7 years after the engagement closes, aligned with the fiscal retention obligation.

Note: if the accountant has filed a suspicious transaction report under the Anti-Money Laundering Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft), specific retention obligations apply to the related file elements.

Summary Table: Retention Periods at a Glance

| Data Type | Sector | Retention Period | Statutory Basis | |---|---|---|---| | Job application data | HR | Max. 4 weeks (1 year with consent) | GDPR proportionality | | Payroll records | HR | 7 years | AWR art. 52 | | Personnel file (after termination) | HR | 2 years | Wet LB art. 28 | | Sick leave records | HR | 2 years | Wet verbetering poortwachter | | Customer data | Retail | Relationship + max. 2 years | GDPR art. 5(1)(e) | | Order data | Retail | 7 years | AWR art. 52 | | CCTV footage | Retail | Max. 4 weeks | AP guideline | | Invoices | Accounting | 7 years | AWR art. 52 | | Annual accounts | Accounting | 10 years | BW Boek 2 art. 10 |

What Happens if You Retain Data Too Long?

The GDPR storage limitation principle (Article 5(1)(e)) requires that personal data is "not kept in a form which permits identification of data subjects for longer than is necessary." Retaining data beyond the justified period is a GDPR violation, regardless of whether a statutory minimum period applies elsewhere.

The AP has included data minimisation as an enforcement priority for 2026, and that includes retention period compliance. Organisations without documented retention periods, or that passively leave data in systems past the applicable deadline, face real enforcement exposure.

The accountability principle in Article 5(2) GDPR further requires that you can demonstrate you are using the right period. "We keep it just in case" is not a legal justification. You need a documented retention period per processing activity, with the statutory basis recorded alongside it.

In ComplianceHive, you add a retention period and statutory basis to each processing activity in your register, directly satisfying the accountability requirement. View the processing register or get started with your full GDPR compliance. For a deeper look at what a retention policy document should include, read our guide on GDPR data retention policy.


Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free