The principle of storage limitation obliges data controllers not to store personal data for ‘longer than is necessary for the purposes for which the personal data are processed’ and to introduce pseudonymization and anonymization measures that reduce/eliminate the identifiability of data subjects as soon as possible for such purposes. The problem here is that usually social networks might use the stored data for different purposes. Furthermore, sometimes data are collected and stored “just in case” they might serve for some future use. Controllers should be aware that even though the GDPR allows storage for longer periods, there should be a good and real reason to opt for such an extended period (see the “Storage limitation principle” subsection in the Main Principles section in the General Part of these Guidelines). That is, a controller should not be tempted to keep the data longer than strictly needed, with the aim of having it available in case novel purposes or projects arise in the future, different to those lawfully permitted.
In order to avoid unlawful storage, a necessity test must be carried out by each and every stakeholder in the provision of a specific service in the social network, as the purposes of their respective processing can in fact be different. For instance, personal data communicated by users when they subscribe to a specific service in the social network should be deleted as soon as they put an end to their subscription. Similarly, information deleted from their account by the users should not be retained. When users do not use the social network for a defined period of time, the user profile should be set as inactive. After another period of time the data should be deleted. The users should be notified before these steps are taken, with whatever means the relevant stakeholder has at its disposal.
To sum up, if controllers do not need the data, and there are no compulsory legal reasons that oblige them to conserve the data, they should fully anonymize or delete them. Researchers should consult their DPOs if they wish to store data for a longer period of time and be aware of the applicable national regulation.
This could also be an excellent moment to envisage time limits for erasure of the different categories of data, and document these decisions clearly (see the ‘Accountability principle’ subsection in the ‘Main Principles’ section of the General Part of these Guidelines). In this regard, the appropriate balance between sustainability of research, reproducibility, open data, open science and principle of minimization under GDPR must be preserved, considering also that the processing of pseudo/anonymized datasets could generate pseudo/identifiable datasets. For this purpose, the criteria set out in Rec. 156 GDPR should be followed:
- the processing of personal data for scientific research purposes must be subject to appropriate safeguards for the rights and freedoms of the data subject where it is ensured, in particular that technical and organizational measures are implemented to respect the principle of data minimization;
- further processing of personal data should take place where the controller has assessed the feasibility of fulfilling those purposes by means of data processing which does not allow identification of data subjects or which provides sufficient guarantees of pseudonymization;
- the conditions and safeguards in question may include specific procedures for data subjects to exercise their rights, as well as technical and organizational measures to minimize the processing of personal data in accordance with the principles of proportionality and necessity.
|Checklist: data governance
☐ The controller only processes anonymized or pseudonymized datawhenever possible.
☐ The controller processes the minimal amount of data necessary to reach the pursued goals.
☐ The controller only processes data of special categories if it is strictly necessary
☐ The controllers only use the data for the purposes they were collected, unless a legal basis allows their lawful processing.
☐ Controllers do not store personal data for ‘longer than is necessary for the purposes for which the personal data are processed’.
☐ Controllers check the utility of the stored data for the intended purpose of the research.
☐ Data are stored in a way that hinders personal data processing as much as possible.
☐ The controllers have documented all the information regarding these issues.
1Art 29 Data Protection Working Party Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑