The principle of storage limitation obligates data controllers not to store personal data for ‘longer than is necessary for the purposes for which the personal data are processed’ and to introduce pseudonymization and anonymization measures that reduce/eliminate the identifiability of data subjects when identification is no longer than necessary for such purposes. The problem here is that controllers might be interested in storing data more data than necessary, for longer periods than necessary to ultimately use the stored data for different purposes. Furthermore, as mentioned, sometimes they are collected and stored “just in case” they might serve for unforeseen uses.
Therefore, storage periods should be proportionate to the aims of the processing: “In order to define storage periods (timelines), criteria such as the length and the purpose of the research should be taken into account. It has to be noted that national provisions may stipulate rules concerning the storage period as well.”
Controllers should be aware that even though the GDPR allows storage for longer periods, although there should be a good and real reason to opt for such an extended period, for instance, when the sole purpose is subsequent scientific research (or the other circumstances mentioned in the close list contained in art. 5.1(c) GDPR like or archiving in the public interest, historical research or statistical purposes) (see the “Data protection and scientific research” section in the “Main Concepts” and the “Temporal aspect” subsection in the “Storage limitation” section of the “Principles”, Part II of these Guidelines).
In order to avoid unlawful storage, “necessity test must be carried out by each and every stakeholder in the provision of a specific service on the IoT, as the purposes of their respective processing can in fact be different. For instance, personal data communicated by users when they subscribe to a specific service on the IoT should be deleted as soon as the users put an end to their subscription. Similarly, information deleted by users in their account should not be retained. When a user does not use the service or application for a defined period, the user profile should be set as inactive. After another period of time the data should be deleted. The user should be notified before these steps are taken, with whatever means the relevant stakeholder has at its disposal”.
To sum up, if controllers do not need the data, and there are no compulsory legal reasons that oblige them to conserve the data, they must fully anonymize or delete them. Researchers should consult their DPOs if they are willing to storage data for a long-lasting period and be aware of the applicable national regulation. This could also be an excellent moment to envisage time limits for erasure of the different categories of data and document these decisions or apply them in an automated manner (see the “Accountability” section within “Principles”, Part II of these Guidelines).
|Checklist: data governance
☐ The IoT systems use of anonymized data, especially if those data are shared with other devices, whenever possible.
☐ If anonymizations is not possible, the IoT systems opt for the aggregation of data in a standardized format.
☐ The controllers have ensured that no one but the data subject should access the raw data, unless a legal basis legitimizes such processing (and provided that it is necessary for the purposes searched).
☐ The controllers have ensured that raw material leaving the device remains the minimal strictly needed.
☐ The controllers only use the data for the purposes they were collected, unless a legal basis allows their processing unlawful processing by third parties.
☐ The controller transparently informs about such purposes and which legal basis will support each of them.
☐ Controllers do not store personal data for ‘longer than is necessary for the purposes for which the personal data are processed’, according to the Necessity Toolkit by the EDPS.
☐ Controllers check the utility of the stored data for the intended purpose of a particular product or service will need to be periodically reassessed.
☐ Personal data communicated by users when they subscribe to a specific service on the IoT are deleted as soon as the users puts an end to their subscription.
☐ Information deleted by users in their account is not retained by the IoT system.
☐ If a user data subject does not use the IoT system for a defined period of time, their profile is set as inactive and after another period of time the data is deleted.
☐ The user is notified before these steps are taken.
☐ The controllers have documented all the information regarding these issues.
1EDPS (2020) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak Adopted on 21 April 2020. European Data Protection Supervisor, Brussels, p.10. Available at https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf (accessed 23 April 2020). ↑
2Art 29 Data Protection Working Party Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑