There are a number of examples where businesses are legally required to retain certain elements of an individuals data. Sectors where this is the case include (and are not limited to):
- Financial (eg. Banking)
- Council (eg. Child services)
- Government (eg. HMRC)
- Social Media
This is actually to protect consumers from deleting important and sensitive information that they may rely on. The guideline period for most types of GDPR retention policy is six years, however it can be longer than this.
These guidelines are not to be used to hide behind resulting in Erasure request being ignored or rejected.
What companies can do instead:
- Add a marker to your account and delete your data as soon as they can when the retention requirements fall away.
- Remove your personal information where you have exercised your right to object to processing
If you think a company is being unreasonable in their response and quoting a data retention policy as the reason for a rejection, please get in touch with Rightly Support for help, or query it with the ICO.