Disclaimer
This document is a guideline about data retention and therefore proposes data retention periods according to the laws, but also according to the recommendations of the data protection supervisory authorities. The elements displayed in this document are only accurate at the current date of production of the document: 29th May 2019. The key statutes described in the first section are in no way exhaustive.
Concerned Countries
Key Data Retention Statutes
DISCLAIMER: The content of this section is not exhaustive and may change from time to time as a result of changes in legislation.
Belgium
General statutes for data retention in the Belgian legislature:
– Belgian Companies Code (Article 195)
– Act of 17 July 1975 regarding companies’ accountancy (Articles 6 and 8)
– Law of 8 December 1992 (Article 4)
Special statutes to take into consideration:
– Companies’ accountancy: Article 9 of the Royal Decree of 12 September 1983, regarding the execution of the Act of 17 July 1975, concerning companies’ accountancy
– Social law: Articles 22 to 25 of the Royal Decree of 8 August 1980, regarding the maintenance of employment-related documents
– Tax law: Articles 315 and 315bis of the Belgian Income Tax Code
– Article 60 Para. 3 of the Belgian VAT Code
– Article 9 of the Royal Decree of 10 December 1969, regarding the rules governing deductions for the application of VAT
Switzerland
General statutes for data retention in the Swiss legislature:
– Swiss Code of Obligations (SR 220, CO) Articles 957 et seq
– Ordinance on the Management and Record of Accounting Books (SR 221.431).
Special statutes to take into consideration:
– Article 70 of the Swiss Value-Added Tax Act
– Article 42 of the Swiss Value-Added Tax Act
– Social Security law
– Customs requirements
– Product declaration
– Environmental law
Germany
General statues for data retention in the German legislature:
– Sec. 147 of the Fiscal Code
– Sec. 257 of the Commercial Code
– Sec. 35 of the Federal Data Protection Act
– Sec. 195 German Civil Code
Special statutes to take into consideration:
– Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen (GdPdU)
Spain
General statutes for data retention in the Spanish legislature:
– Commercial Law
– Personal Data Protection Draft Act 2017
– Royal Decree 1784/19 July 1996, which concerns Commercial Registry Regulation (RRM), especially Article 377
Special statutes to take into consideration:
– Article 66 Spanish Law 58/17 December 2003, regarding General Tax Law (LGT);
– Article 21 Royal Decree 5/4 August 2000, regarding Infringement and Sanctions Social Law (LISOS);
– Article 25 of Law 10/28 April 2010, regarding the Prevention of Money Laundering and Financing of Terrorism (LPBCFT); and
– Article 5 Law 25/2007, regarding Data Protection in Electronic Communications.
France
General statutes for data retention in the French legislature:
– The French Code of Commerce
– The French Civil Code
– French Post and electronic communications Code,
– French Consumer Code,
– French Tax Procedure Handbook,
– French Social Security Code,
– French Criminal Code.
Special statutes to take into consideration:
– Labor law
– Insurances and banking regulation
Ireland
General statutes for data retention in the Irish legislature:
– Statute of Limitations Act, 1957 – 2010
– Irish Data Protection Acts 1988 and 2003
Special statutes to take into consideration:
– E-Commerce Act, 2000 (the “EC Act”)
Italy
General statutes for data retention in the Italian legislature:
– Articles 2214 to 2220 of the Italian Civil Code
– Article 39 of Presidential Decree, 26 October 1972, n. 633
– Article 22 of Presidential Decree 29 September 1973, n. 600
Special statutes to take into consideration:
– Decree of the Minister of Finance, 23 January 2004
– Social security law
The Netherlands
General statutes for data retention in the Dutch legislature:
– General Tax Act (Algemene Wet inzake rijksbelastingen)
– Dutch Civil Code (Burgerlijk Wetboek)
– Gegevensbescherming
Special statutes to take into consideration:
– Act on the prevention of Money Laundering and Financing Terrorism (Wet ter voorkoming van witwassen en financieren van terrorisme)
– Medical Treatment Act (Wet op de geneeskundige behandelingsovereenkomst)
– Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wet financieel toezicht)
– Wage Witholding Tax Act 1964 (WWTA) (Wet op de Loonbelasting 1964)
Poland
General statutes for data retention in the Polish legislature:
– Bookkeeping Act of 29 September 1994
– Personal Data Protection Act of 29 August 1997
Special statutes to take into consideration:
– Tax Ordinance Act of 29 August 1997
– National Archive Resources and Archives Act of 14 July 1983
– Labor Code of 26 June 1974
– Social Security System Act of 13 October 1998
– Civil Code of 23 April 1964
– Insurance Activity Act of 22 May 2003
– Transactions on Financial Instruments Act of 29 July 2005
– Act on Prevention of Money Laundering Practices and Financing of Terrorism of 16 November 2000
Portugal
General statutes for data retention in the Portuguese legislature:
– Commercial Code approved by Official Letter of 28 June 1888, as amended
– Portuguese Civil Code approved by Decree-Law 47344, of 25 November 1966, as amended (particularly, the rules on statutes of limitation)
Special statutes to take into consideration:
– Portuguese Labor Code, approved by Law 7/2009, of 12 February 2009, and as amended from time to time, including by Law 105/2009, of 14 September 2009
– Law 102/2009, of 10 September 2009 on health and safety rules at workplace
– Decree-Law 28/2019, of 15 February 2019 on processing of invoices and retention deadlines of books, records and financial accounting documents
– Law 83/2017, of 18 August 2017, which establishes measures to combat money laundering and terrorist financing
– Decree-Law 24/2014, of 14 February 2014 on distance and off-premises contracts
– Electronic Communications Law approved by Law 5/2004, of 10 February 2004
– Portuguese Data Protection Authority’s Guidelines dated 27 July 2017 on retention deadlines in electronic communications
– Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH)
– Decree-Law 178/2006, of 5 September 2006 on waste management rules
– Decree-Law 210/2009, of 3 September 2009 approving the legal framework for the constitution,
management and functioning of the “Waste Organized Market”
– Decree-Law 156/2013, of 5 November 2013 approving the framework for the responsible and safe management of spent fuel and radioactive waste
– Decree-Law 150/2015, of 5 August 2015 approving the regime for the prevention of serious accidents involving dangerous substances and the limitation of their consequences to individuals and the environment
– Ordinance 145/2017, of 26 April 2017 on waste management electronic documents
– Decree-Law 183/2009, of 10 August 2009 on the landfill of waste
– Decree-Law 12/2011, of 24 January 2011 establishing a framework for the setting of eco-design requirements for energy-related products
– Decree-Law 118/2013, of 20 August 2013 on the energy performance of buildings, and the Ordinance 349- A/2013, of 29 November 2013 on the powers of the operator authority of the energy performance of buildings
– Decree-Law 12/2011, of 10 September 2011, implementing the obligations provided for in
the Regulation (EU) No 305/2011 of the European Parliament and of the Council of 9 March 2011 laying down harmonized conditions for the marketing of construction products
– Decree-Law 42 -A/2016, of 12 August 2016 on Environmental Fund
– Decree-Law 167/2008, of 26 August 2008 on legal framework for public subsidies
– Decree-Law 47/2017, of 10 May 2017 approving the regime for the assessment of ambient air quality
Romania
General statutes for data retention in the Romanian legislature:
– Accountancy Law no. 82/1991
– National Archives Law no. 16/1996
Special statutes to take into consideration:
– Order no. 3512/2008 on financial accounting documents, approving the Methodological Norms for drafting and using financial accounting documents
– Companies Law no. 31/1990
– Fiscal Code
– Fiscal Procedure Code
– Government Decision no. 355/2007 on the surveillance of workers health
– Government Decision no. 1875/2005 on the on the protection of health and security of workers regarding the risks of eGXOsure to asbestos
– Methodological Normative of 2003 regarding the operational radioprotection on non destructive control practice with ionized radiation
– Law no. 211/2011 on waste management
– Government Ordinance no. 195/2005 on Environmental Protection Order 1084/2003
The United Kingdom
General statutes for data retention in the British legislature:
– Sec. 5 of the Limitations Act 1980
– Sec. 248, 355, 388 and 702 of the Companies Act 2006
– Sec. 12B of the Taxes Management Act 1970
– Sec. 11 of the VAT Act 1994
– Sec.1 of the Consumer Protection Act 1987
– Data Protection Act 2018
Special statutes to take into consideration:
– Companies Act 2006
– Data Protection Act 2018
– Sec. 3 of the Public Records Act 1958
Russia
All the records of personal data must be archived as hard copies as per Russian regulation. Generally, electronic retention of documents is not authorized except for specific accounting and tax calculation documents.
The records must be kept on Russian soil for the entire duration of the retention decided by either the entity or forced by law. However, the entity can request an authorization to retain the data in a foreign count.
In some specific cases defined by Russian regulation, documents and therefore personal data should be retained permanently
General statutes for data retention in the Russian legislature:
– Federal law On Archiving in the Russian Federation, № 125-ФЗ, 22 October 2004
Special statutes to take into consideration:
– Federal law On Accountancy, № 402-ФЗ, 6 December 2011
– Tax Code
– Federal law On Personal Data, № 152-ФЗ, 27 July 2006
– Federal laws regulating different types of legal entity (Limited Liability Company, Joint Stock Company…)
Key Retention Times
European General Company Records Data Retention Guidelines
The following table summarises the main data retention recommendations for general company records in Europe:
European Payroll and Salary Records Data Retention Guidelines
The following table summarises the main data retention recommendations for Payroll and Salary Records in Europe:
European Human Resources Data Retention Guidelines
The following table summarises the main data retention recommendations for Human Resources Records in Europe:
European Medical and Safety Data Retention Guidelines
The following table summarises the main data retention recommendations for Medical and Safety Records in Europe:
European Marketing Records Data Retention Guidelines
The following table summarises the main data retention recommendations for Marketing Records in Europe:
European Purchasing Records Data Retention Guidelines
The following table summarises the main data retention recommendations for Purchasing Records in Europe :
European Legal, Contracts and Agreements Data Retention Guidelines
The following table summarises the main data retention recommendations for Legal Records in Europe:
European Environmental Records Data Retention Guidelines
The following table summarises the main data retention recommendations for Environmental Records in Europe:
