Maximum storage periods based on the AEPD’s last report

2020-12-22T15:42:00

On December 9, 2020, the Spanish Data Protection Agency (“AEPD”) responded to a consultation on the maximum storage periods for personal data.

Maximum storage periods based on the AEPD’s last report
December 22, 2020

On December 9, 2020, the Spanish Data Protection Agency (“AEPD”) responded to a consultation on the maximum storage periods for personal data.

A data protection officer submitted a consultation to the AEPD on the suitability and validity of a guide to maximum storage periods. The AEPD responded that, based on the accountability principle and its own powers, it could not generally assess the guide’s validity. The AEPD added that the assessment must be performed by the controller, who actually determined the purpose of the processing.

Based on (i) the storage limitation principle of article 5(1)(e) of the General Data Protection Regulation (“GDPR”) and (ii) the “blocking” requirement set out in article 32 of the Spanish Data Protection and Digital Rights Guarantee Act (“LOPDGDD”), the AEPD found that the blocking (construed as a controller’s obligation, not a data subject’s right) excludes the erasure of data as long as this is in line with the restrictions provided in article 32 LOPDGDD.

These restrictions exclude the erasure of personal data only in the following circumstances: (i) transfers of data to courts, the public prosecutor’s office, or competent public authorities, particularly data protection authorities; and (ii) liability claims arising from the data processing, and then only within the limitation period (under the statute of limitations) for these liability claims.

However, if there are applicable legal provisions requiring that data be stored for a specified time period, under article 17(3)(b) GDPR, the right to erasure, and thus the blocking, does not apply. Despite this, the controller may implement technical and organizational measures regarding the blocking requirement.

As a guiding criterion, always keep in mind that any restrictions on the fundamental right to data protection will only be considered lawful if provided in an act or statute.

Although the AEPD concluded that the controller is responsible for thoroughly assessing every processing activity to determine the storage period for each of them individually, the AEPD provides an overview of existing storage periods:

Although the AEPD concluded that the controller is responsible for thoroughly assessing every processing activity to determine the storage period for each of them individually, the AEPD provides an overview of existing storage periods:


This is a general overview. Each company must complete and apply these storage periods for each processing activity they perform.

After the storage period, the data may not be processed for any purpose other than those stated and must be erased.

Authors: Alejandro Negro and Adaya Esteban

December 22, 2020