Retention Policies¶
Configure data retention periods for processing purposes to comply with GDPR storage limitation requirements.
Overview¶
Retention policies in Dxtra are defined at the processing purpose level. Each processing purpose specifies:
- Retention Period -- How long data may be retained
- Usage Period -- How long data may be actively used
These values inform data lifecycle management and help meet GDPR Article 5(1)(e) storage limitation requirements.
Configuring Retention¶
Setting Retention on Processing Purposes¶
When creating or editing a processing purpose in the dashboard:
- Navigate to Processing Activities in the dashboard
- Select the processing purpose to configure
- Set the Retention Period (how long data may be kept)
- Set the Usage Period (how long data may be actively used)
- Save the processing purpose
Retention and usage periods are stored in seconds. The dashboard displays these as human-readable durations.
Common Retention Periods¶
| Purpose | Legal Basis | Typical Retention |
|---|---|---|
| Marketing | Consent | Until withdrawal |
| Order fulfillment | Contract | 7 years (tax records) |
| Analytics | Legitimate interest | 26 months |
| Support tickets | Contract | 5 years |
| Employment records | Legal obligation | Duration + 6 years |
Retention Period Reference¶
| Duration | Seconds |
|---|---|
| 1 year | 31,536,000 |
| 2 years | 63,072,000 |
| 5 years | 157,680,000 |
| 7 years | 220,752,000 |
Legal Basis Impact¶
Retention periods should align with the legal basis for processing.
Consent-Based Processing¶
- Retention ends when consent is withdrawn
- Grace period for compliance evidence (30 days typical)
- Consent withdrawal records retained separately (6 years)
Contract-Based Processing¶
- Retention tied to contract duration
- Post-contract retention for warranty/claims
- Tax and accounting records (7--10 years)
Legitimate Interest¶
- Retention must be proportionate
- Regular review of necessity
- Clear justification documented
Legal Obligation¶
- Retention per regulatory requirement
- Varies by jurisdiction and data type
- May override shorter periods
Data Subject Transparency¶
Privacy Notice Requirements¶
Retention information should be included in privacy notices. The Transparency Center widget displays retention information automatically:
- Purpose descriptions
- Retention periods in human-readable format
- Legal basis for each purpose
Integration with Rights Requests¶
Erasure Requests:
When processing erasure requests, retention policies determine:
- Which data can be deleted immediately
- Which data must be retained for legal obligations
- Documentation requirements for retained data
Data Access Requests:
Include retention information in data exports:
- Processing purposes
- Retention periods
- Expected deletion dates
Best Practices¶
Policy Design¶
- Document rationale -- Record why each retention period was chosen
- Align with legal basis -- Retention must match processing justification
- Consider minimum periods -- Legal obligations may set floor
- Review regularly -- Audit retention settings quarterly
Implementation¶
- Default conservatively -- Use shorter periods when uncertain
- Purpose segregation -- Different retention per purpose
- Backup alignment -- Ensure backups follow retention schedule
- Third-party coordination -- Sync with data processor retention
Manual Review Required
Dxtra tracks retention settings but does not automatically delete data. Organizations must regularly review data against retention policies, implement deletion procedures, coordinate with integrated systems, and document retention decisions.
Related Documentation¶
- Processing Activities -- Purpose configuration
- Consent Management -- Consent lifecycle
- Data Subject Management -- Subject data handling
- Audit Logging -- Retention audit trails