The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Data retention

In this article, we address one of the thorniest aspects of the data protection discipline: data retention and, in particular, the limitation of the time of retention of personal data.

It is not so much the principle itself that is complex – according to which personal data should be retained for as long as is strictly necessary to pursue the legitimate purpose of use – but rather its implementation profiles, such as the determination of retention times and the operations to be implemented upon expiration.

Retention as a “processing”

First, it should be recalled that mere retention is a processing operation in itself.

This is made unequivocally clear by the definition of “processing” in Article 4(2) of the Regulation: “processing” is considered “any operation or set of operations (…) which is performed on personal data (…) such as (…) storage.” Concept that is confirmed in point 12) of the same Article 4, when on the occasion of the definition of “personal data breach” it is specified that it consists of the security breach involving an incident – among others – to stored data.

For example, in the case of restriction of processing – a right granted to the data subject when “there are reasonable grounds to believe that erasure could affect the legitimate interests of  the data subject” [Recital (47) dir. 2016/680] – the legislature allows that personal data may be subject to retention only; that is, retention, while consisting of processing, is the only operation allowed as a counterpart to the exercise of the right to restrict processing, subject to the exceptions noted below:

  • the data subject has given his or her consent
  • the processing is necessary for the exercise of the right of defense
  • the processing is necessary for reasons of public interest [Articles 4(3) and 18(2), GDPR].

The consideration that ” retention” – as well as “collection” – constitutes “processing” per se has important practical implications: collection or retention of personal data that may be deemed unlawful due to violations of principles, legal bases or other conditions of legitimacy are susceptible to the consequences of the law (imposition of fines, compensation for damages) even if the same personal data, by hypothesis, were not used for the purposes set forth. “This is because the collection and storage of the data concerned constitute per se processing operations that must be assisted by all the safeguards provided by the data protection regulations, including with regard to the existence of an appropriate legal basis.” (Italian Data Protection Authority’s decision, web doc. no. 9995808, para. 3.2).