58.
In accordance with Articles 5 and 25 of the GDPR, the controller must implement appropriate technical and organisational measures, which are intended to implement the data protection principles effectively and to accompany the processing with the necessary safeguards in order to meet the requirements of the GDPR, including appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed.
a. Establishment of a data sorting mechanism
59.
Thus, the controller must put in place measures to sort the processed data once the current phase of use of the data subject’s data has ended (which coincides, for example, with the closure of the user’s account) in order to retain only those personal data that are relevant in view of the (new) purposes in the context of the archiving phase. The systematic and indiscriminate retention of all data in an account after the end of the contractual relationship with the data subject does not comply with the principle of limitation of retention.[1] This ‘purging’ mechanism may result in the erasure or anonymisation of personal data which are not necessary for the purposes of data retention.
60.
The controller should thus provide for the storage of the data in a database dedicated to archiving (a) or at least provide for logical separation in the active database (b)[2].
(a) A physical separation could be made by extracting data from the information system to keep them separately in a dedicated archiving database to which only specifically authorised persons will be able to access. In this case, the archiving database will have to include different functionalities, such as exporting, accessing and viewing stored data. These functionalities will allow the organisation to be able to respond to the data subject when exercising their rights (right of access, etc.).
(b) With a logical separation, the data remain in the ‘active database’ but are clearly identified and isolated from other data by limiting the authorisations in order to make them inaccessible to persons who no longer need to process them.[3]
b. Establishment of a mechanism for closing “inactive” accounts
61.
Some players offer their financial services only through the creation of an online account. The CNPD notes that it is often the case that these users no longer use these accounts, without closing them, which sometimes leads to the existence of inactive accounts for an indefinite period, the absence of closure thus preventing certain retention periods from running. Thanks to the law of 30 March 2022 on inactive accounts, inactive safes and dormant insurance contracts, which entered into force on 1 June 2022, Luxembourg has established for the first time a legal framework for the management of inactive accounts. The new legal framework is applicable to “any sight account, savings account, term or redeemable deposit account with notice, securities account, fiduciary deposit as well as any other accounts opened with an institution.” By contrast, electronic money accounts within the meaning of the amended Law of 10 November 2009 on payment services are excluded from the scope of that legal framework.
62.
In order to ensure that processing is accompanied by the necessary safeguards to meet the requirements of the GDPR, including the principle of accuracy and storage limitation, controllers should provide for measures to verify on a regular basis that the account holder is still willing to maintain the account online and that the data stored therein is accurate. In the case of accounts where the balance is at zero, the CNPD also recommends establishing a deadline at the end of which the account will be considered inactive and must be closed (after informing the person concerned). In that regard, the CNPD considers that a period of five years appears proportionate.[1]
-------------------------------------------------------------------------------------------------------------------------------------------------------
[2] See the CNIL’s practical guide on storage periods.
[3] Article 5.1(e) GDPR. See Commission Nationale de l’Informatique et des Libertés, Deliberation of restricted training No SAN-2024-002 of 31 January 2024 concerning the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS
[4] This recommendation is without prejudice to the provisions laid down in the Law of 30 March 2022 on inactive accounts, inactive safes and dormant insurance contracts.