A digital or paper file contains a great deal of information about a person. For example, a family doctor knows what drugs his patient is taking, and an employer can see when an employee last got a salary increase. Proper record keeping requires an organization to keep certain personal data for some time. However, organizations may not retain those data for longer than necessary.
The Personal Data Protection Act BES(PDPA BES) provides no specific retention period for personal data. An organization may decide for itself how long it will keep personal data. In doing so, the organization should have regard to how long the data are required for the purpose for which they were collected or are being used. Other laws, however, do provide specific retention periods that an organization must comply with.
Some data from your personnel file are subject to a fiscal retention obligation. This means that the tax authorities require your employer to keep those data, such as your wage tax statement, for a certain period. Your employer must retain these records for 5 years after termination of your employment.
For other data from your personnel file, the law provides no retention periods. As a guideline, these data should be retained for 2 years after termination of your employment.
It is customary for an organization to remove your application data within 4 weeks after the end of the application process. You can, however, give authorization to keep your data longer, e.g. because a position that suits you may open up at a later time. A maximum period of 1 year after the end of the application process is reasonable.
The main rule is that your family doctor or specialist should retain your medical file for at least 15 years after the end of your treatment.
Generally speaking, a school is allowed to retain a student file for 2 years after your child left school. In some situations, statutory rules and regulations impose a longer retention period on schools.
Camera footage recorded in public places can be retained for a maximum of 4 weeks. However, this period may be extended if the footage contains images of a crime that can serve as evidence in criminal proceedings.
Other camera footage, e.g. from a store, is also subject to a retention period of 4 weeks. However, if an incident such as shoplifting has been recorded, the storeowner may keep the images until the case has been handled.
Under the PDPA BES, organizations may keep personal data as long as they are required for the purpose for which they were collected or are being used. After this, organizations must destroy the data.
Once the retention period of your personal data has expired or your data are no longer necessary, an organization must destroy your data.
An organization is supposed to treat personal data with care. Therefore, the organization should give proper thought to the way it will destroy your data, especially in the case of sensitive data, such as medical data. For digitally stored data, for example, systems have been developed that destroy data automatically at a predetermined time.
If an organization wants to digitalize your paper file, the organization may only destroy your original paper file after having provided proper security for the digital file.
An organization may store personal data in archives if those archives are used for historical, statistical, or scientific purposes. There is no retention period for personal data in archives. The organization must destroy the data when they are no longer required for the purpose of the archives.
You have the right to ask an organization to remove certain personal data relating to you. You can do so if those data are incorrect, incomplete, or irrelevant (or no longer relevant).
You should always address your questions or complaints to the organization itself first. If you have a complaint which the organization fails to handle to your satisfaction, there are follow-up actions you can take.