Introduction and importance of data storage:
The GDPR sets out specific requirements for the storage of personal data to ensure that this data is handled securely and responsibly. Here are the requirements explained in detail:
Lawfulness and purpose limitation (Article 5(1)(a) and (b) GDPR):
- Lawfulness: Personal data may only be stored lawfully and on one of the legal bases set out in Article 6 GDPR. This includes consent, performance of a contract, legal obligation, vital interests, public task and legitimate interests.
- Purpose limitation: Data must be stored only for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimization and storage limitation (Article 5 paragraph 1 letters c and e GDPR):
- Data minimization: Personal data must be adequate, relevant and limited to what is necessary for the purposes of processing. Only the data that is really needed may be stored.
- Storage limitation: Personal data may only be stored for as long as is necessary for the purposes for which it is processed. After this time, the data must be deleted or anonymized.
Security measures (Article 32 GDPR):
- Technical and organizational measures: Websites must implement appropriate technical and organizational measures to ensure the security of the data stored. These include:
- Encryption: Protecting data by encrypting it during storage.
- Access and access control mechanisms: Implementation of mechanisms to restrict access to personal data to authorized persons.
- Regularly review and update security measures: Ensure that security measures are up to date and reflect current threats and risks.
Documentation and proof (Article 30 GDPR):
- Register of processing activities: Controllers must maintain a register of all processing activities, which also includes information on the storage of personal data. This register must contain specific information, including the purposes of the processing, the categories of data subjects and personal data, and the recipients of the data.
Relevant articles of the GDPR:
- Article 5: Principles governing the processing of personal data
- Article 6: Lawfulness of processing
- Article 32: Security of processing
- Article 30: List of processing activities
Examples of compliance with the requirements:
- Storage limitation: An online shop only stores customer data for as long as it is necessary to process orders and to comply with legal retention requirements. After this time, the data is deleted.
- Security measures: A financial services website implements encryption and access controls to protect its users’ stored financial information.
Summary:
Websites must ensure that they store personal data lawfully and for the intended purpose, limit the data to what is necessary and only store it for as long as necessary. Appropriate security measures are required to ensure the integrity and confidentiality of the data. Implementing these measures will improve the protection of personal data and ensure compliance with the GDPR.
