How long can you keep personal data under GDPR?

GDPR does not prescribe fixed retention periods. The principle is that you must not keep personal data longer than necessary for the purpose it was collected. What "necessary" means depends on the purpose and sector. Financial records must be kept for seven years under tax law. Job applicant data can be retained for a maximum of four weeks after the end of a selection process without explicit consent. For customer data after the end of a contract, two years is a common reasonable baseline, unless you have a lawful ground for longer retention.

What is the difference between a retention period and a retention policy?

A retention period is the timeframe after which you delete specific data. A retention policy is the document that bundles all those periods, describes the deletion procedures, and assigns responsibility for execution. A retention policy without enforceable procedures is just paper.

Do you have to actually delete data or is archiving enough?

You must genuinely delete data once the retention period has expired. Archiving is only permitted if you have a valid lawful ground to keep the data, for example for historical or scientific research with appropriate safeguards. Data you no longer need but retain "just in case" is a GDPR violation.

How do you handle retention periods in SaaS tools you don't fully control?

Check the tool's settings. Many SaaS platforms offer an automatic deletion feature or a data retention setting. If that option is not available, you need to schedule manual deletions or ask the vendor to handle this through a Data Processing Agreement. Document the arrangements.

What are the risks of not having a retention policy or not enforcing it?

The Dutch Data Protection Authority (AP) can impose fines of up to 20 million euros or 4% of global annual turnover for systematic violations of the data minimisation principle. Additionally, individuals can submit erasure requests. If you cannot demonstrate that data has already been deleted, you are in a weak legal position.

How to build a data retention policy you'll actually enforce

GDPR, Compliance, SMB

5/26/2026

Every compliance checklist says the same thing: "document your retention periods." But nobody explains how to actually delete customer data from a CRM your sales team uses every day. Or how to handle invoice data that must be kept for seven years under tax law when the contact person left years ago.

A retention policy on paper is one thing. A retention policy you actually enforce is another.

This guide helps you build a policy that works in practice, not just in a Word document.

Why a retention policy without enforcement is worthless

GDPR requires that you do not keep personal data longer than necessary for the purpose for which it was collected. That principle is called data minimisation (Art. 5(1)(e)).

Most businesses understand the principle. The problem is execution. Data does not delete itself. Without a concrete plan for deletion, it accumulates: in your CRM, your email archive, your accounting tool, your customer service platform.

And when the Dutch Data Protection Authority asks how long you retain customer data, "we have a policy" is not enough. They want to know whether you actually follow it.

Step 1: Map your data collection points

Before you can set retention periods, you need to know where data enters and where it ends up.

Go through your most-used tools. For each tool, ask:

What personal data is stored here?
Whose data is it (customers, employees, prospects, suppliers)?
How long do you actually need that data for the purpose you collected it?

Typical data collection points for a Dutch SMB: CRM (customer and prospect data), accounting or invoicing software (customer and supplier details), email or newsletter platform (subscriber data), HR system (employee records), customer service platform (ticket history), website analytics (user behaviour via IP or cookies).

You do not need to do this in one afternoon. Start with the five tools that hold the most customer data. The rest follows.

If you already have a processing register, this is the moment to consult it. Your record of processing activities is the foundation of your retention policy.

Step 2: Set retention periods per data category

You cannot apply a single retention period to all data. Each category has its own logic, sometimes legally mandated, sometimes based on operational needs.

A practical overview for SMBs:

Financial records: Seven-year retention obligation under Dutch tax law (Art. 52 AWR). This applies to invoices, contracts with financial value, and payment data. Note: you must keep the financial records, but that does not mean you are entitled to keep the full customer profile for seven years.

Customer data after end of relationship: As a rule of thumb, two years after the end of a customer relationship, unless you have a valid ground to retain longer (for example ongoing warranty or statutory liability period). In some cases one year is sufficient.

Prospect data in your CRM: People who never became customers gave you less reason to keep their data. If someone has had no interaction for a year, it is time to delete the data or ask for renewed consent.

Job applicant data: Maximum four weeks after completion of the selection process, unless the candidate gives consent for longer retention (maximum one year for future vacancies).

Employee records: Seven years after end of employment for tax-relevant data. Other parts of the file (performance reviews, sick leave history) have shorter periods. Consult employment law for your specific situation.

Email lists and newsletter subscribers: As long as someone is an active subscriber. Dormant subscribers who have not opened an email in two years and do not respond to a reactivation campaign should be removed.

Document every decision. Record not only the period but also the basis. "We keep customer data for two years because it is necessary for warranty claims" is a defensible judgement. "We don't know" is not.

Step 3: Check the retention settings of your tools

This is the step most businesses skip, and exactly where things go wrong.

A retention policy on paper only has value when the tools act on it too. Check each tool for what is possible.

Tools with built-in retention settings: Many CRM platforms (HubSpot, Pipedrive, Salesforce) offer the ability to automatically archive or delete contacts after a set period of inactivity. Google Analytics 4 lets you set data retention at 2 or 14 months. Mailchimp and ActiveCampaign offer the option to automatically unsubscribe or delete inactive subscribers.

Tools without built-in retention: If a tool offers no automatic deletion, you have two options. The first is a manual procedure: schedule a fixed moment per quarter or per year when a responsible person reviews the lists and deletes data that has passed its retention period. The second is to engage your vendor: your Data Processing Agreement with the vendor can include an obligation for the vendor to delete data on your request. Use that clause.

Document the settings per tool in your retention policy. "In HubSpot we have set automatic archiving at 18 months of inactivity. In our accounting package we perform an annual manual deletion of contacts older than seven years."

See how ComplianceHive helps you document retention settings per tool.

Step 4: Assign ownership per category

A policy without an owner does not get enforced. That is a rule, not an exception.

Assign responsibility for the deletion procedure per data category. This does not need to be a full-time function. It is a responsibility you assign concretely.

Examples:

CRM data: responsibility with the sales manager, who cleans up inactive contacts every quarter.
Accounting data: responsibility with the financial lead, who reviews retention periods annually.
HR data: responsibility with the HR team or line manager, who reviews the file at the end of employment.
Newsletter list: responsibility with marketing, who removes inactive subscribers every six months.

Write the owners into the policy. Make sure they understand what is expected and have the access needed to carry out the deletions.

Step 5: Schedule fixed moments for execution

Data hygiene works best with a regular rhythm, not as an ad-hoc response to an incident.

Set up a calendar with fixed moments for retention reviews. For most SMBs, the following rhythm works well:

Monthly: check whether new tools have been added that collect data and are not yet included in the policy.

Quarterly: review CRM contacts and email lists for inactive entries and delete data that has passed its retention period.

Annually: full review of the retention policy. Are the retention periods still correct? Are there new legal requirements? Are the owners still current?

Put those moments in the calendar of the responsible people. Not as an open task, but as a scheduled appointment.

Step 6: Document your policy and keep it current

A retention policy is a living document. Your tools change, your business grows, legislation evolves.

Document per data category:

What data is retained
For what purpose
On what lawful basis
For how long
Who is responsible for deletion
Which tool holds the data and how deletion is technically carried out

Update the document when you add a new tool. Make sure team members who are responsible for data know and understand the policy.

In ComplianceHive, you can record retention arrangements per tool in your processing register, so policy and execution live in the same place.

The most common mistake: policy without deletion procedures

You can have a well-written retention policy with correct retention periods for every data category. If you have not also described how you carry out the deletion, who does it, and when, you still have nothing.

The data protection authority does not only ask whether you have a policy. They ask whether you follow it. Proof of enforcement sits in deletion logs, completed tasks, and documented procedures.

Start small. Pick one tool. Set the retention setting or create a manual procedure. Document it. Then move to the next.

Ready to put your retention policy into practice? ComplianceHive helps you record retention periods per processing activity and track them over time, so policy and execution live in one place. Try free for 30 days.

This article is general information and not legal advice. Consult a qualified lawyer or privacy specialist for an assessment specific to your situation.