Do not keep the data longer than strictly needed (storage limitation)
Home » Geolocation » Minimize data » Do not keep the data longer than strictly needed (storage limitation)

Devices should be programed in a way that minimizes the time they store the data: they should only keep data during the time that is strictly needed to reach their aim (see storage limitation subsection in the principles part of these Guidelines). Of course, this will probably depend on the goal required by the application. Storage is only acceptable if it is necessary to reach the aim of the tool. For example, if an app is intended to keep track of someone suffering from Alzheimer’s disease, in case they wander due to the effects of the disease, data will probably have to be deleted very often. If we are thinking about a device aimed at helping users know if they have been close to someone suffering from an infectious disease, data will have to be kept for days or weeks.

Do not forget that a randomly attributed Unique Device Identifier (UDID), such as a unique number, should only be stored for operational purposes, for the time that is needed for the purposes of the processing. “After that period, this UDID should be further anonymized while taking into account that true anonymization is increasingly hard to realize and that the combined location data might still lead to identification. Such a UDID should neither be linkable to previous or future UDIDs attributed to the device, nor should it be linkable to any fixed identifier of the user or the telephone (such as a MAC address, IMEI or IMSI number or any other account numbers).”[1]

Checklist: Storage limitation

 Contact history or location data stored on the central server is deleted once they are no longer needed for the purposes of the processing.

 The procedure for data erasure is adequately designed and the controller and the users are well aware of it.

 Any identifier included in the local history is deleted after X days from its collection (the X value being defined by the purpose of the processing).

 Data in server logs are minimized and comply with data protection requirements

 If there is a central server and it needs to store data identifiers, these must be deleted once they are distributed to the other applications unless a legal/technical reason recommends otherwise.




1WP29 Opinion 13/2011 on Geolocation services on smart mobile devices, at:

Skip to content