Retaining Personal Data

A digital or paper file contains a great deal of information about a person. For example, a family doctor knows what drugs his patient is taking, and an employer can see when an employee last got a salary increase. Proper record keeping requires an organization to keep certain personal data for some time. However, organizations may not retain those data for longer than necessary.

The Personal Data Protection Act BES(PDPA BES) provides no specific retention period for personal data. An organization may decide for itself how long it will keep personal data. In doing so, the organization should have regard to how long the data are required for the purpose for which they were collected or are being used. Other laws, however, do provide specific retention periods that an organization must comply with.

How long can my employer keep my data?

Some data from your personnel file are subject to a fiscal retention obligation. This means that the tax authorities require your employer to keep those data, such as your wage tax statement, for a certain period. Your employer must retain these records for 5 years after termination of your employment.
For other data from your personnel file, the law provides no retention periods. As a guideline, these data should be retained for 2 years after termination of your employment.

How long can an organization keep my application data?

It is customary for an organization to remove your application data within 4 weeks after the end of the application process. You can, however, give authorization to keep your data longer, e.g. because a position that suits you may open up at a later time. A maximum period of 1 year after the end of the application process is reasonable.

How long can my family doctor keep my medical data?

The main rule is that your family doctor or specialist should retain your medical file for at least 15 years after the end of your treatment.

How long can a school keep my child’s data?

Generally speaking, a school is allowed to retain a student file for 2 years after your child left school. In some situations, statutory rules and regulations impose a longer retention period on schools.

How long can camera footage be retained?

Camera footage recorded in public places can be retained for a maximum of 4 weeks. However, this period may be extended if the footage contains images of a crime that can serve as evidence in criminal proceedings.
Other camera footage, e.g. from a store, is also subject to a retention period of 4 weeks. However, if an incident such as shoplifting has been recorded, the storeowner may keep the images until the case has been handled.

How long can a government organization keep my data?

Under the PDPA BES, organizations may keep personal data as long as they are required for the purpose for which they were collected or are being used. After this, organizations must destroy the data.

What is an organization supposed to do with my data when the retention period is over?

Once the retention period of your personal data has expired or your data are no longer necessary, an organization must destroy your data.

An organization is supposed to treat personal data with care. Therefore, the organization should give proper thought to the way it will destroy your data, especially in the case of sensitive data, such as medical data. For digitally stored data, for example, systems have been developed that destroy data automatically at a predetermined time.

If an organization wants to digitalize your paper file, the organization may only destroy your original paper file after having provided proper security for the digital file.

An organization may store personal data in archives if those archives are used for historical, statistical, or scientific purposes. There is no retention period for personal data in archives. The organization must destroy the data when they are no longer required for the purpose of the archives.

Can I ask to remove my personal data?

You have the right to ask an organization to remove certain personal data relating to you. You can do so if those data are incorrect, incomplete, or irrelevant (or no longer relevant).

What can I do if I have a question or complaint about how long an organization has retained my personal data?

You should always address your questions or complaints to the organization itself first. If you have a complaint which the organization fails to handle to your satisfaction, there are follow-up actions you can take.