GDPR Data Retention & Deletion Requirements: Staying Compliant

Quick Overview: Key Information at a Glance

Why Deletion Periods Are Often Misunderstood

More and more companies are relying on data-driven business models and, for this, must process a large number of personal data . However, strict rules apply to processing and storage. A legal basis is required to justify storing data in the first place. If this basis no longer exists, the deletion requirement of the General Data Protection Regulation (GDPR)applies: the data in question must be deleted.

In practice, however, this deletion requirement often conflicts with statutory retention periods, such as: 

• Invoices: 10-year retention obligation (Section 147 AO)
• Payroll records: 6 years after the end of the calendar year
• Employment contracts: Up to 3 years after contract termination (statute of limitations period)

Those responsible who fail to define and implement clear rules risk fines and reputational damage for their organization.

Retention periods according to GDPR: The basic principle

In practice, the question often arises, how long personal data may be retained to prove business transactions or internal processes. Generally, the GDPR permits processing only under the conditions specified in Art. 5 Para. 1 lit. b GDPR mentioned conditions: Data may only be processed for specified, explicit and legitimate purposes (purpose limitation) and only for as long as these purposes exist (storage limitation). The GDPR storage period generally ends when the legal basis ceases to apply.

Important: The GDPR does not lay down any specific periods – it only defines the principle.

At the same time, organizations must adhere to legal requirements, for example, regarding the retention obligation for personnel files, tax documents or business reports. These obligations create a new, independent purpose limitation.

This means: The retention periods therefore supersede the GDPR purpose limitation: As long as a statutory retention obligation exists, the storage of personal data remains permissible, even if the original processing purpose has already been fulfilled. However, once these periods have also expired, the data must be permanently deleted or destroyed in compliance with data protection regulations.

What legal bases determine the retention period?

Statutory retention periods are derived from various regulations, including: 

• Fiscal Code (AO) – in particular, Section 147 AO
• Commercial Code (HGB) – Sections 238, 257 HGB
• Income Tax Act (EStG)

These legal bases apply regardless of whether data is stored in paper form or digitally.

Caution, a pitfall: According to Article 13 and Article 14 GDPR companies must inform data subjects in their privacy notices about data processing carried out to meet specific retention obligations. Failure to comply with this information duty also risks fines.

What role do the GoBD play?

In connection with tax-relevant documents, the requirements of the GoBD (Principles for the proper management and retention of books, records, and documents in electronic form, as well as for data access) also apply. The GoBD define no retention periods, but rather govern how data must be retained in an audit-proof manner – e.g., immutable, retrievable at any time, complete.

Overview of Current Document Retention Periods (As of 2025)

There is no single, standardized regulation for retention periods in companies. This is because, depending on the document and regulation, a other retention periods. The IHK provides regularly updated overviews. Responsible parties can also their tax advisor for an individual assessment.

Below, we summarize some retention periods for typical business documents that usually contain personal data.  

Important: Periods often only begin at the end of the calendar year, in which a transaction was completed – not with the date of the transaction itself.

Example: An invoice from March 15, 2025, must be retained until December 31, 2035 (10 years from the end of 2025).

The specific requirements for the form of retention are derived from the respective applicable laws. However, for the duration of retention: documents must be legible, complete, and accessible at all times, regardless of their storage format.  

What happens after the retention period ends?

After the statutory retention period expires, the legal basis for storing the affected data also ends. This data must now be deleted or destroyed in compliance with data protection regulations. It does not matter whether the data is analog or digital. The crucial point is that it is removed completely, verifiably, and securely.

How to delete in compliance with GDPR:

• Electronic data: Multiple overwrites, secure erasure of data carriers
• Paper documents: Shredding according to DIN 66399 (Security level at least P-4 for personal data)
• Backups & Archives: Here too, data must be removed after the retention period expires

The measures and the time of deletion should be documented. To ensure that you carry out the destruction process in compliance with data protection regulations and at the right time, and document it properly, a structured deletion concept, helps you keep track.

What needs to be considered when data is destroyed by service providers?

When destroying data, companies can rely on external service providers. However, they must conclude a written Data Processing Agreement (DPA) , as this constitutes data processing by a processor under Art. 28 GDPR.

Checklist: Properly managing retention and deletion periods

This is how you keep track of deadlines and meet GDPR and legal requirements:

✅ Identify data types: What personal data do you store? (e.g., customer data, personnel files, invoices)

✅ Review legal basis: Which retention periods apply (GDPR, HGB, AO, industry-specific regulations)?

✅ Create a deletion concept: Define processes and responsibilities for regular deletions

✅ Monitor deadlines: Use software or automated reminders

✅ Documentation: Document when and how data was deleted

✅ Train employees: Raise awareness among your team for data protection and deletion obligations

A structured deletion concept ensures clarity and legal compliance. This is especially true when external data protection officers assist in developing such a concept. With their experience and knowledge of various document and data types, they effortlessly translate GDPR requirements into practical business implementation. This ensures that it is always clear,  

• which data protection retention periods apply and  
• which processes are necessary for complying with legal retention and deletion obligations.  

Data retention becomes even more efficient with software solutions that automatically consider GDPR retention periods and monitor deadlines.

Do you need support with the implementation?

The data protection experts at Proliance help you create a GDPR-compliant deletion concept and review your retention periods.

To the external DPO

Conclusion: Data Protection + Compliance = Legal Certainty

Reconciling retention periods and deletion obligations is one of the central challenges in data protection. However, with a structured deletion concept, clear processes, and – where necessary – professional support from external data protection officers, you can achieve legal certainty and avoid fines.

Key steps:

1. Identify data types and review legal bases
2. Define deletion and retention periods
3. Automate processes (e.g., with software solutions)
4. Ensure documentation

Do you have questions or would you like to optimize your data protection compliance? Contact Proliance for support!