One of the most frequent questions we receive at Summum Consultoría when helping businesses with their GDPR compliance is deceptively simple: how long do I have to keep the data? The answer does not come directly from the General Data Protection Regulation; instead it comes from combining two principles: the storage limitation principle (art. 5.1.e of the GDPR) and the minimum documentary retention periods imposed by sector-specific legislation — employment, tax, commercial and administrative — for each processing activity. This article brings both layers together to give a concrete answer.
The storage limitation principle (art. 5.1.e GDPR)
Article 5.1.e of Regulation (EU) 2016/679 (GDPR) requires that personal data be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". The Regulation does, however, allow longer retention periods when data are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the appropriate technical and organisational safeguards.
This principle translates into a practical obligation for the controller: to define, in the Records of Processing Activities (art. 30 GDPR), the specific retention periods for each category of data or, at a minimum, the criteria used to determine them. Simply stating "as long as necessary" is not enough; the periods must be specified.
How are they specified? By identifying three windows:
- Active life of the data: the time during which the data is strictly necessary for the purpose that justified its collection (for example, managing the employment relationship with a worker).
- Blocking period: once the active life ends, the data must be blocked (marked as inaccessible for ordinary use) for as long as the organisation may be required to produce it before an authority, a court, or the AEPD (Spanish Data Protection Authority — Agencia Española de Protección de Datos) itself. This period is set by sector-specific rules.
- Definitive erasure: once the blocking period expires without any request having been made, the data must be deleted securely.
The LOPDGDD (Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights) complements the GDPR in the Spanish legal order and requires, in its article 32, that the controller adopt measures to ensure that blocked data are accessible only to judges and courts, the Public Prosecutor's Office or competent public administrations, and are not processed for any other purpose.
Why does sector-specific law matter so much?
Deleting data before the minimum retention period required by sector legislation expires may trigger administrative penalties unrelated to the GDPR: fines from the Labour Inspectorate, the Tax Agency or the Social Security. Keeping data beyond the maximum period permitted by the storage limitation principle constitutes, on the other hand, a GDPR infringement sanctionable under article 83. The key is to know and respect both limits: the sector-law minimum and the maximum imposed by the temporal minimisation principle.
Retention periods by processing type — overview table
The table below lists the main processing activities in a business context, the indicative blocking period and the relevant sector-specific rule. Periods are stated in years unless otherwise specified. This table is for guidance only: each organisation should review its specific situation with the support of a specialist adviser.
| Processing type | Main data | Blocking period (indicative) | Reference rule |
|---|---|---|---|
| Employment relationship (contracts, payslips, social security enrolments/cancellations) | Name, national ID (DNI), IBAN, job category, salary, working hours, contributions | 4 years (limitation period for labour-order infringements and Social Security credits) | Art. 21 and 24 RDL 8/2015 (LGSS — General Social Security Act); art. 4 RDL 5/2000 (LISOS — Labour Infringements Act); art. 59 RDL 2/2015 (ET — Workers' Statute) |
| Occupational health & safety (health surveillance) | Medical reports, health assessments, fitness-for-work records | 5 years (general retention period for OHS documentation; extendable depending on agent exposure) | Art. 23 Law 31/1995 (LPRL — Occupational Risk Prevention Act); sector regulations for specific agents (asbestos, noise…) |
| Payroll and Social Security | Payslips, contribution bulletins TC1/TC2, RLC/RNT forms | 4 years (limitation period for Social Security debts) | Art. 21 RDL 8/2015 (LGSS) |
| Tax (issued and received invoices, tax returns) | Tax ID (NIF/CIF), amounts, taxable bases, deductions, tax declarations | 4 years (general limitation period for the right to audit and investigate); up to 10 years for negative taxable bases pending offset | Art. 66 to 70 Law 58/2003 (LGT — General Tax Act) |
| Accounting (accounting books, annual accounts, supporting documents) | Journal entries, balance sheets, income statements, inventories | 6 years from the last entry | Art. 30 of the Commercial Code (Código de Comercio) |
| CCTV / Video surveillance (cameras on premises) | Images of individuals captured on business premises or in private public spaces | 1 month from capture (statutory maximum); unless images constitute evidence of an infringement or incident | Art. 22.3 LOPDGDD (LO 3/2018) |
| Marketing and commercial communications (consent-based) | Email, phone, preferences, interaction history | While consent subsists; after opt-out, block for 3 years (limitation period for unfair competition actions and consumer claims) | Art. 7 GDPR; art. 21 LSSI (Information Society Services Act); arts. 1961-1968 Civil Code |
| Workplace video surveillance (disciplinary monitoring) | Images evidencing a labour infringement | Until the disciplinary or judicial procedure concludes | Art. 22.3 and 22.4 LOPDGDD |
| Anti-money-laundering (obliged entities) | Due-diligence documentation, beneficial owner, transactions | 10 years from the end of the business relationship or the execution of the occasional transaction | Art. 25 Law 10/2010 (LPBC/FT — Anti-Money-Laundering Act) |
| Video conferences and electronic communications | Meeting recordings, internal chat logs | Depends on the purpose: if training, up to 1 year; if litigation is foreseeable, until resolution | Art. 5.1.e GDPR; art. 20 ET (employer monitoring) |
Detailed analysis by category
Employment data: between 4 and 5 years
The employment relationship generates a considerable volume of personal data: employment contract, payslips, Social Security enrolment and cancellation forms, disciplinary notices, performance appraisals and accident reports. The retention period for this documentation is not set by the GDPR but by the limitation periods for labour-order infringements and Social Security credits.
Article 21 of Royal Legislative Decree 8/2015 approving the Revised Text of the General Social Security Act (LGSS) establishes that the right to review Social Security decisions becomes statute-barred after four years. Royal Legislative Decree 5/2000 (LISOS) also sets limitation periods for labour-order infringements. Article 59 of Royal Legislative Decree 2/2015 (ET — Workers' Statute) establishes a one-year limitation period for actions arising from the employment contract, but the underlying documentation must be retained for four years to cover potential inspections by the Labour Inspectorate.
Regarding occupational health and safety, article 23 of Law 31/1995 (LPRL) obliges the employer to retain documentation generated by preventive activity. For specific agents — asbestos, lead, noise — sector regulations may significantly extend this period, reaching up to forty years in the case of exposure to carcinogenic or mutagenic agents.
If your business manages employee data, the Summum Consultoría article on GDPR and human resources provides a comprehensive overview of the applicable framework for these processing activities.
Tax data: 4 years, with exceptions of up to 10
Law 58/2003 of 17 December, the General Tax Act (LGT), is the reference rule for determining the retention period for tax-relevant documentation. Articles 66 to 70 of the LGT establish that the Administration's right to determine the tax debt by means of the appropriate assessment, as well as to demand payment of assessed debts, becomes statute-barred after four years.
There are, however, significant exceptions. Article 70 of the LGT establishes that formal obligations linked to tax obligations must be fulfilled during the limitation period of the right to audit and investigate. In the case of negative taxable bases (tax losses) pending offset, that period may be extended to ten years (or the period resulting from the specific rules of each tax). This means that the business must retain the documentation proving those losses throughout the entire period during which they may be offset against future profits.
The ongoing regulatory push for electronic invoicing in Spain under Law 18/2022 (Crea y Crece) does not alter the tax retention periods: the electronic form of the document neither shortens nor lengthens the legally required retention period.
Accounting data: 6 years from the last entry
Article 30 of the Commercial Code (Código de Comercio) requires the entrepreneur to retain accounting books, correspondence, documentation and supporting records relating to the business, duly organised, for six years from the date of the last entry made in the books. This obligation applies even where the entrepreneur has ceased trading or the company has been wound up.
From a GDPR perspective, this commercial-law requirement justifies keeping blocked the personal data contained in accounting documentation (names of customers or suppliers in invoices, bank details in payment orders) for that six-year period. The controller cannot invoke the storage limitation principle to erase this data earlier if commercial law requires retaining the documentary record containing it.
CCTV: the shortest period — one month maximum
Article 22.3 of the LOPDGDD (LO 3/2018) states precisely that "images shall be deleted within a maximum period of one month from their capture". This is the most restrictive retention period among all common business processing activities, and it often surprises organisations that operate CCTV systems without a specific automatic purge policy.
The exception to this one-month maximum occurs when images constitute evidence of an infringement or incident: in that case, article 22.3 allows them to be retained until the relevant judicial or administrative proceedings conclude. In the employment context, article 22.4 of the LOPDGDD permits the use of CCTV systems to monitor workers within the framework of article 20.3 of the ET (Workers' Statute), but subject to the same time limits.
If your business has cameras installed on its premises, the Summum Consultoría article on CCTV in the workplace details the information, signage and technical configuration requirements demanded by the AEPD.
Marketing and commercial communications: as long as consent lasts
Data processed on the basis of the data subject's consent (art. 6.1.a GDPR) have no retention period fixed by a specific sector rule: the active life of the data lasts for as long as consent remains in force. Once the data subject withdraws consent or requests erasure, the controller must cease active processing.
However, immediate deletion is not always possible. The organisation may have a legitimate interest in blocking the data for the period during which it could be sued for prior misuse. For electronic commercial communications, the limitation period for infringements of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI) is three years (art. 47 LSSI). Articles 1961 to 1968 of the Civil Code set limitation periods of between one and fifteen years for various civil actions; the general limitation period for personal actions with no special period is five years (art. 1964 CC after the 2015 reform).
The recommended practice in digital marketing is to block data for three years from the last interaction with the data subject or from opt-out, and to delete them definitively once that period expires, unless a judicial or administrative request requires their retention.
How to document retention periods in the Records of Processing Activities
Article 30.1.f of the GDPR requires the Records of Processing Activities to include "where possible, the envisaged time limits for erasure of the different categories of data". In practice, many organisations simply include a generic reference, which does not meet this requirement and can make it difficult to demonstrate proactive accountability before the AEPD.
The recommended structure for documenting retention periods in the Records is as follows:
- Active phase: the time during which the data is necessary for the primary purpose (e.g., "for the duration of the employment contract").
- Blocking phase: the time during which data are kept blocked by regulatory requirement (e.g., "an additional 4 years from the end of the contract, pursuant to art. 21 LGSS").
- Erasure date or criterion: the mechanism that triggers definitive erasure (e.g., "4 years after the end of the contract, with no pending request from the Labour Inspectorate or the TGSS").
- Regulatory reference: citation of the sector-specific rule that justifies the period.
At Summum Consultoría we assist organisations in drawing up and maintaining their Records of Processing Activities, with templates tailored to the most common sectors and an annual review of periods in response to possible regulatory changes.
Consequences of retaining data longer than permitted
Retaining personal data beyond the justified period constitutes a breach of the storage limitation principle under article 5.1.e of the GDPR. Depending on the severity, the number of individuals affected and the existence of technical protection measures, it may be classified as a serious or very serious infringement for the purposes of article 83 of the GDPR:
- Infringements of the principles in article 5 of the GDPR are considered very serious infringements under article 83.5, subject to fines of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- The LOPDGDD (LO 3/2018), in its article 72, classifies as very serious infringements in the Spanish legal order substantial violations of article 5 of the GDPR, without setting specific amounts beyond those in the Regulation itself.
Beyond financial penalties, retaining data without justification increases potential harm in the event of a security breach (more data exposed) and makes it harder to fulfil data subject rights (access, rectification, erasure) that the controller is obliged to address within the time limits set out in article 12 of the GDPR.
Technical measures to ensure timely erasure
Knowing the retention periods is only the first step. The organisation must implement technical mechanisms that ensure data are actually erased when the period expires. Common measures include:
- Automated retention policies in document management systems and CRMs, which block or delete records once the configured period expires.
- Data repository inventory (databases, network folders, email, physical files) to ensure that erasure is complete and no residual copies remain.
- Certified destruction of physical media (paper, hard drives) containing personal data at the end of their lifecycle, with documentary evidence of the process.
- Periodic review of the Records of Processing Activities, at least once a year, to detect processing activities whose period has expired or whose justification has disappeared.
Frequently asked questions
What happens if sector law requires retaining data for 6 years but the data subject exercises their right to erasure after one year?
The right to erasure under article 17 of the GDPR is not absolute. Article 17.3.b of the GDPR establishes that the right to erasure does not apply where processing is necessary for compliance with a legal obligation that requires processing. If retention is imposed by a rule with the force of law (the Commercial Code, the LGT, the LGSS), the controller may refuse erasure for the legally required period, but must block the data so that it is not accessible for any other processing purpose. The data subject must receive a reasoned response within one month (art. 12.3 GDPR).
How long should I keep CVs from unsuccessful job applicants?
There is no sector-specific rule imposing a minimum retention period for job applications. The storage limitation principle of article 5.1.e of the GDPR requires deleting them as soon as they are no longer necessary for the selection process. The AEPD has stated in various decisions that retaining applications for more than one year without a lawful basis is difficult to justify, unless the data subject has given explicit consent to be included in a talent pool. The general recommendation is to delete them within a maximum of twelve months if no hiring has taken place, unless the data subject has explicitly consented to retention.
Can CCTV images be kept for more than one month if there is a clause in the workers' employment contracts?
No. The one-month maximum period under article 22.3 of the LOPDGDD is mandatory and cannot be extended by contract, collective agreement or individual worker consent. Only the statutory exception in article 22.3 itself — images that constitute evidence of a criminal or administrative offence — allows recordings to be kept beyond that month, and only for as long as necessary for the relevant proceedings. Any contractual clause purporting to extend this period is null and void.
Does the retention period start from when the data is collected or from when the relationship ends?
It depends on the type of processing. For employment and tax data, the blocking period generally begins to run from the moment the contractual relationship ends or the last relevant operation takes place (the last accounting entry, the submission of the last tax return). For CCTV, the one-month period runs from the moment each image is captured, not from the end of any relationship. For marketing data, the blocking period begins from the withdrawal of consent or from the last active interaction with the data subject. The Records of Processing Activities must specify the event that triggers the start of the period for each processing activity.