1.
According to Article 5.1(e) GDPR, personal data “shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed.”
It is also apparent from recital 39 of the GDPR that ‘personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the data retention period is limited to the strict minimum. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In order to ensure that data are not retained for longer than necessary, time limits should be set by the controller for erasure or periodic review. All reasonable steps should be taken to ensure that personal data that are inaccurate are rectified or deleted.’;
2.
As regards the adequacy, relevance and limitation of what is necessary for the purposes of the processing, it is necessary to recall the clarifications provided by the EDPS concerning the precision of the purposes of the processing undertaken by a controller:
‘40. A controller must determine the appropriate legal basis for the envisaged processing operations before proceeding with the processing of the data. Where Article 6(1)(b) forms the basis for all or part of the processing activities, the controller should anticipate what will happen in the event of termination of the contract.
[...]
43. Article 17(1)(a) provides that personal data shall be erased when they are no longer necessary for the purposes for which they were collected. However, this rule does not apply if the processing is necessary for certain specific purposes, including compliance with a legal obligation under Article 17(3)(b) or the establishment, exercise or defence of legal claims under Article 17(3)(e). In practice, if controllers identify a general need to keep records for legal purposes, they must determine a legal basis for such retention from the beginning of the processing, and must clearly communicate, at the same time, the period for which they plan to keep the records for such legal purposes after termination of the contract. In this case, they are not obliged to erase the data after termination of the contract.
44. In any event, it is possible that several processing operations with different purposes and legal bases have been identified from the start of the processing operation. As long as these other processing operations remain lawful and the controller has clearly communicated these operations at the beginning of the processing, in accordance with the transparency obligations of the GDPR, it will still be possible to process personal data concerning the person for these distinct purposes after termination of the contract.”[1]
3.
Once the purpose(s) of the processing has been achieved, the retention of certain data for compliance with legal obligations or for pre-litigation or litigation purposes is therefore possible, but the data must then be archived, for a period not exceeding that necessary for the purposes for which they are retained, in accordance with the provisions in force.
4.
In the context of a contractual relationship between the data subject and a payment service provider, two phases in the life cycle of the user’s personal data should be distinguished:
(i) The active phase: the retention of the customer’s personal data for the duration of the contractual relationship, mainly on the basis of the need for processing for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the data subject (Article 6.1(b) GDPR), the need to comply with a legal obligation (Article 6.1(c) GDPR) or, more exceptionally, on another legal basis provided for in Article 6 GDPR, such as the data subject’s consent (Article 6.1(a) GDPR) or the legitimate interest of the controller (Article 6.1(f) GDPR) (this will be referred to as the ‘current use’ phase of personal data);
(ii) The archiving phase: the retention or ‘archiving’ of the customer’s personal data after the end of the contractual relationship (corresponding in practice to the closure of the user’s account), most often on the basis of the need to comply with a legal obligation (Article 6.1(c) GDPR) or, more exceptionally, on another legal basis provided for in Article 6 GDPR (e.g. the legitimate interest of the controller, provided for in Article 6.1(f) GDPR).
5.
When the retention period for archiving is exceeded, the controller must delete the personal data (which is a right of the data subject pursuant to Article 17 GDPR). It can, for example, destroy them permanently or anonymize them.
These guidelines focus on the application of the principle of data retention limitation in archiving. Whenever a retention period is referred to in this document, it will be the second phase of the data life cycle, i.e. the archiving phase following the closure of a customer’s account).
13.
In accordance with the principle of accountability set out in Article 5.2 GDPR, any controller must be able to demonstrate that all the principles of Article 5.1 GDPR are complied with (including the data minimisation principle of Article 5.1(c) and the retention limitation principle of Article 5.1(e)). To this end, the controller must implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for each specific purpose of processing are processed within the retention period (Article 25.2 d GDPR). To this end, the data controller will have to define precisely the starting point of each retention period in order to be able to automatically comply with this obligation without waiting for a request for erasure from the data subject.
14.
In order to define as precisely as possible the retention period of each set of personal data that it processes and the starting point of that period, the controller must:
- define precisely the purposes pursued (it is not possible to keep the data ‘in case ...’) as well as the applicable bases of lawfulness, and
- determine, on the basis of each specific purpose, an appropriate and necessary retention period in order to achieve that purpose.
15.
If the data are used in several processing operations for more than one purpose, the storage periods must be individualised for each specific purpose.
To be noted: The controller must define the retention period or the arrangements for calculating the retention period for each data processing operation.
The absence of a retention period or an unlimited retention period constitutes an infringement of the GDPR. The same personal data may be used for separate processing operations and may therefore be necessary for different periods of time. The end of a data processing operation for which a data has been used does not therefore imply that the data must be erased, if it is still necessary for another ongoing data processing operation.
In such a case, it is necessary to make a clear distinction between the various data processing activities and to apply to each a period that is relevant to their respective purposes. Thus, the data associated with the longest duration will be retained and will not be deleted at the end of the first processing.
Example 1: In the context of its contractual relationship with a data subject, a payment service provider shall retain its telephone number for the purposes of authentication or communication with the data subject in the context of its contract. Once the contract is terminated, the processing of this data is no longer necessary for the performance of the contract and the payment service provider will have to erase it (unless it demonstrates that the processing of the user’s telephone number is necessary for certain specific purposes, including compliance with a legal obligation under Article 17.3(b) or the establishment, exercise or defence of legal claims under Article 17.3(e).
Example 2: A payment service provider shall also process the postal address of the main residence of the data subject. This data is processed for various purposes related to the management of the relationship with the customer but also within the framework of the due diligence obligations of the payment service provider provided for by the Law of 12 November 2004 on the fight against money laundering and the financing of terrorism, as amended (the "2004 Law"). Article 3.6 of that law lays down an obligation to retain the data collected in the context of customer due diligence measures for five years after the end of the business relationship with the customer or after the date of the transaction concluded on an occasional basis. It will therefore be necessary to retain the longest storage period, and it will not be necessary to delete the address of the data subject upon termination of the contract (the date on which certain purposes of the processing of the address disappear) but rather five years after the end of the contract.
---------------------------------------------------------------------------------------------------------------------------------------------------
[1] EDPS, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, Adopted on 8 October 2019