< Back

How long can customer data be kept?

September 5, 2023

Customer data has become the modern-day "black gold" for businesses. However, collecting and analyzing personal information from your customers and prospects come with constraints. Any company handling personal data of its customers must include data retention duration in its data collection strategy.

"Personal data cannot be retained indefinitely: a retention duration must be determined by the data controller based on the purpose for which the data was collected." This principle of limited retention of personal data is mandated by the GDPR and the Data Protection Act.

Within the GDPR, managing data retention durations for customer data is an essential aspect of safeguarding personal information.

Let's decode the balance to strike between respecting privacy and ensuring legal compliance.

Spoiler: the General Data Protection Regulation (GDPR) does not establish a specific retention duration for personal data. The retention duration for personal data depends on the purpose of processing the information and the applicable legal obligations.

The Lifecycle of Customer Personal Data

First and foremost, it's important to understand the lifecycle of personal data to start the countdown for data retention at the right time.

For a given information processing, personal data goes through three, not necessarily successive phases. This is known as the "lifecycle" of personal data.

GDPR Compliant Personal Data Removal – Data Privacy Manager

Phase 1: Retention in the active database

The active database pertains to the customer database that is easily accessible for immediate use by various operational services overseeing the processing. The customer relationship is active.

Phase 2: Intermediate data archiving

This involves all personal data that is no longer used to achieve the initially set objective. Nevertheless, these data are retained because they still hold administrative value for the company. These data can be accessed occasionally and by authorized individuals.

Phase 3: Definitive data archiving

Definitive archiving encompasses data archived without any time limit. This preservation solely serves the public interest processing. This data is archived and retained permanently and sustainably solely due to its "value" and public interest.

The last two phases of the data lifecycle are not automatic and may even be rare. Their necessity should be evaluated for each processing, and not all data can be retained as a single unit without prior sorting.

After understanding the lifecycle of personal data, it's important to approach data retention within the prism of its purpose, legal basis, and duration.

The legal basis corresponds to the legal reason the company adopts for data processing. The purpose is the objective in processing this data, and the retention duration represents the necessary duration for achieving this purpose.

If any of the three criteria—legal basis, purpose, or duration—cease to be valid, the criteria for data processing must be redefined.

CNIL and GDPR: Guardians of Customer Privacy

This perspective is closely monitored by the guardians of customer personal data. The CNIL and the GDPR ensure that such personal data is processed respecting the customer's privacy and under their consent.


The CNIL recommends that the retention duration for personal data of clients and prospects should not exceed three years. This duration is derived from the simplified standard NS-056, which is no longer valid since the GDPR came into effect, but the data retention durations are still recommended by the CNIL.

As for the GDPR, it doesn't provide a clear answer regarding data retention and processing durations, but it offers recommendations based on different situations.

Article 5 of the GDPR obliges every data controller to determine a coherent and justified retention duration for personal data based on their purposes and the objectives of processing.

Other legal texts may define this duration:

  • Certain texts impose a minimum or maximum retention duration, such as labor laws or other legal or regulatory provisions.
  • CNIL deliberations.
  • Sector-specific references.

If none of these sources clearly define a data retention duration, it is the responsibility of the data controller to precisely define this duration and its purpose for customer personal data. The purpose should underpin operational needs and the retention duration.

Therefore, the company holds the responsibility to ensure proper preservation of personal data. It can particularly seek external Data Protection Officers (DPOs) through platforms like Dipeeo. The Data Protection Officer advises and supports organizations in data protection. Companies and responsible parties must prove their GDPR compliance. The data controller must compile a set of documents that include various actions and analyses conducted to ensure compliance and data security.

Archived personal data must meet requirements for:

  • Security
  • Availability
  • Confidentiality

Determining Optimal Customer Data Retention Durations

The retention durations for personal data of clients and prospects begin when the relationship between the company and the individual is no longer active. This marks the starting point of data retention. It doesn't trigger as long as the company continues data processing with a defined objective and an active customer relationship.

Opening an email using "tracking pixels" is not considered a voluntary action by the individual and therefore cannot be used to retain customer and prospect data.

Subsequently, the customer data exits the active database. This can be characterized by the fact that the customer no longer makes purchases with the company, cancels their subscription, or the prospect stops clicking on the company's newsletter. From this date, the retention duration is initiated.

Here are examples of data retention within the context of managing business activities:

Anonymization: The Ultimate Key to Preserving Customer Personal Data!

Once the legal data retention period expires, you must bring an end to the data lifecycle.

For managing data reaching the end of the retention duration, you can delete or anonymize customers' personal data.

Data archiving is limited to specific business activities and remains quite infrequent.

Data erasure

If the data controller decides to delete the data, the company and the controller must ensure that the data has been effectively erased. No copies of personal data should remain within the company and its potential subcontractors.

Data archiving

The data controller cannot directly delete data once the processing objectives are met. The CNIL distinguishes intermediate and definitive archives. The AFCDP recommends that the DPO document the retention duration in intermediate archives.

The data controller must choose to retain the data in a specific archive database separate from the active database to limit access. The DPO must collaborate with the archivist to ensure the security level.

Data anonymization

When the retention period for customer personal data expires, the data controller can proceed with anonymization. This process makes individual identification impossible.

The data is no longer considered personal data. This process must be closely supervised, as it involves significant technicality. The main recommendations come primarily from the Article 29 Working Party on Data Protection (Opinion of WP29 No 5/2014, April 10, 2014) endorsed by the European Data Protection Board (EDPB).

Three methods are highlighted:

  • Individualization: The impossibility of isolating an individual within the dataset.
  • Correlation: The impossibility of linking datasets concerning an individual.
  • Inference: The impossibility of deducing information about an individual.

If you have any doubts, rely on external Data Protection Officers (DPOs) to ensure your compliance in terms of retaining customer personal data. Indeed, be cautious, as determining and enforcing personal data retention durations are major reasons for financial penalties issued by the CNIL.