The principle of storage limitation is much more enhanced in the new EU General Data Protection Regulation (GDPR), than it was in the Directive 95/46/EC.
In fact, controllers were not particularly concerned with setting time limits for data retention so far. Under the new Regulation however the controller will have to determine the period of data retention, also taking into account the purposes of processing.
The Principle shall be read in light of the 'right to be forgotten', by which data subjects have the right to have their personal data erased, in some cases even before the end of the retention period. Everyone indeed, even if he/she has given consent to the processing of his/her data, has the right to withdraw that consent.
Finally, the principle of integrity and the principle of confidentiality are two key pillars of the GDPR. What are they about? In essence, in order to have a fair processing, it is necessary that the security of data is ensured. This can be achieved not only through technical and IT security measures, but also through organisational measures. These shall ensure that no unauthorized data processing, unlawful processing, loss or destruction of data occurs. It is therefore duty of the person in charge of the processing, to ensure that the personal data does not end up in the wrong hands and that they are not destroyed, altered or publicly disclosed.
The issue of data security is further developed and discussed in Chapter IV of the Regulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.