Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.The retention period is how long the data is kept for these purposes.Limits to how long controllerskeep personal data is part of the principle of data minimisation. The ‘rule of thumb’ is “as long as necessary, as short as possible”, but sometimes legal rules impose fixed periods. Data that are no longer retained cannot fall into the wrong hands, nor be abused. Defining and enforcing limited periods for data retention helps to protect the people whose data are processed.