LegalGELegalGE
...

Data Retention Policies

How long should I keep candidates' CVs?

If not hired, the retention period should be reasonable (e.g., 1 month). For longer retention, candidate consent is required.

Can data be stored "forever"?

For personal data, "permanent" storage is prohibited, with rare exceptions (e.g., public interest, historical archives).

How long are accounting documents kept?

For tax purposes, documents are kept for at least 3 years, though 6 years is recommended considering limitation periods.

How should paper documents be destroyed?

They must be shredded or burned so that information recovery is impossible. Throwing them in the trash is a violation.

Reading Time

2 min

Published

...

Data Retention and Destruction Policies

"How long should we keep this document?" — this is a question that plagues every organization. The answer is often complex because different laws (tax, labor, civil) impose different deadlines. On the other hand, the Law on Personal Data Protection establishes the principle of "storage limitation": data should not be kept longer than necessary to achieve the purpose. A Data Retention Policy is a fundamental document that balances these conflicting requirements. It defines the lifecycle of each data type (CV, contract, invoice) — from creation to destruction.

Our service offers the development and implementation of Data Retention Policies, which includes:

  • Legislative Audit: Analyzing all relevant laws (Tax Code, Labor Code, AML Law) and establishing mandatory retention periods.
  • Data Categorization: Classifying data types and assigning specific periods to each (e.g., CV - 6 months, Contract - 3 years).
  • Destruction Procedures: Drafting secure deletion methods (shredding physical documents, permanent digital wiping) to prevent recovery.
  • Archive Management: Rules on when and how active data should move to the archive and who should have access to it.
  • Automation Recommendations: Legal support for configuring automated deletion rules (Retention Rules) in IT systems.

In practice, organizations often collect data "just in case" and keep it for years. This is a huge risk. If a cyberattack occurs, data of clients from 10 years ago might leak, increasing damage and fines. On the other hand, prematurely deleted documents can become a problem during a tax audit or litigation. For example, the limitation period for labor disputes differs from the tax audit period. The policy must account for all these nuances.

The legal framework is based on the Law on Personal Data Protection (Article 5 - Storage Principle), the Civil Code (limitation periods), and special laws (e.g., National Bank requirements for commercial banks). Violating the law involves both retaining data for too long and destroying it prematurely.

Working with a lawyer begins with "data inventory." The specialist determines what data you have and why. Then, a "Retention Schedule" is created — a table listing the deadlines. This document becomes a guide for IT and records management departments.

Legal.ge gives you access to lawyers who will help organize information chaos. A Data Retention Policy is not bureaucracy; it is a tool for effective management and risk reduction. Create clear rules and protect yourself from fines.

Updated: ...

Specialists for this service

Loading...