Storage, deletion periods and GDPR: What businesses need to know

When dealing with personal data, three terms often come up that are easily confused: deletion periods, retention periods and deletion obligations. They are related, but they do not mean the same thing:

• Deletion periods specify how long data may be stored before it must be deleted or anonymised – for example, when application documents from rejected candidates are removed after six months. These periods usually stem from internal policies or the GDPR itself.

• Retention periods determine how long certain data must legally be kept, even if it is no longer needed. For instance, the German Fiscal Code requires that invoices and accounting records be retained for eight years.

• A deletion obligation arises under Article 17 of the GDPR when there is no longer any purpose or legal requirement for storing the data.

In simple terms: data is first used, then retained for the legally required period, and finally deleted once no legal basis for storage remains.

💡 Tip: A clearly defined deletion policy helps you monitor deadlines automatically and ensure compliance – more on this below.

What are GDPR deletion periods? The basic principle

The GDPR itself does not prescribe fixed time limits, but rather establishes the principle of storage limitation: according to Article 5(1)(e) GDPR, personal data may only be stored for as long as it is necessary for the specific purpose for which it was collected. Once that purpose no longer applies – for example, because a contract has been fulfilled or a recruitment process has ended – the data must be deleted or anonymised.

Closely related to this is the right to be forgotten (Article 17 GDPR). It obliges organisations to delete personal data without undue delay when there is no longer any reason to retain it – for example, after consent has been withdrawn, the data subject has objected to processing, or the data has been processed unlawfully.

For companies, this means they must always be able to demonstrate that their data processing is purpose-bound, proportionate and time-limited. Defining and documenting deletion periods therefore provides the foundation for lawful and transparent data management.

Retention periods for businesses: legal background

In practice, things are often more complex. While the GDPR follows the principle of data minimisation and generally favours data deletion, other laws specify concrete retention periods. These determine how long certain data must be kept – regardless of whether it is still actively used. The reason: businesses must be able to provide tax, commercial or employment-related records at any time.

Typical examples include:

• The German Commercial Code (HGB) and the Fiscal Code (AO) require companies to retain tax- and accounting-related documents for several years.

• The General Equal Treatment Act (AGG) stipulates that the documents of rejected applicants may be stored for six months in order to defend against potential legal claims.

• Under the Patients’ Rights Act in the German Civil Code (BGB), patient records must be kept for ten years.

💡 In practice, this means: companies are not permitted to delete personal data immediately, even if the original purpose has been fulfilled. The rule is: purpose before obligation – and obligation before deletion. Only once the statutory retention period has expired must the data be erased. The real challenge lies in aligning the GDPR with other legal requirements.

Current deletion periods (GDPR) and statutory retention obligations at a glance

The following overview shows the current deletion periods (under the GDPR) and statutory retention obligations for the most important types of data in businesses — concise and up to date as of October 2025.

Note: This overview represents a snapshot in time and does not constitute legal advice. Deadlines may change as legislation evolves. Companies should always coordinate deletion processes with their data protection officer.

When do GDPR deletion obligations apply?

As we already know, the obligation to delete data applies as soon as there is no longer a legal basis for storage – it represents the final stage in the data lifecycle and derives directly from the right to be forgotten under Article 17 GDPR.

Organisations must delete personal data without undue delay when:

• the purpose of storage no longer applies,

• consent has been withdrawn,

• the data subject objects to processing,

• no statutory retention requirement remains, or

• the data was collected or processed unlawfully.

Before any deletion takes place, it must be verified whether a legal retention obligation still applies. Only then may data be permanently deleted or anonymised.

💡 In practice, this means: when a contract or recruitment process ends, the related data must be deleted – unless other laws require it to be retained for a longer period.

To ensure this works reliably, clear processes and responsibilities are essential – and this is where the deletion policy comes into play.

Deletion policy as the foundation for GDPR-compliant data management

A deletion policy defines when, how, and on what basis data is deleted. It typically sets out:

• which types of data exist within the company (e.g. customer, employee, or applicant data)

• how long they must be retained

• when and how they are to be deleted or anonymised

• who is responsible for carrying out deletions

• how deletions are documented and verified

This creates a transparent overview of the entire data lifecycle. It simplifies audits, helps prevent data protection breaches, and ensures that all deletion processes are traceable and verifiable.

💡 Tip: To remain effective, the deletion policy should be reviewed and updated regularly – especially when legal requirements or internal processes change. It forms only the foundation; the decisive factor is technical implementation. How this can be done efficiently (with FTAPI) is explained in more detail in the next section.

Implementing automated deletion periods – with FTAPI

Automated deletion periods help organisations comply with regulations and keep their data inventories lean. Instead of relying on manual deletion, rules are defined centrally once and then applied automatically. Files are deleted after a set period of time – based on legal, internal, or operational requirements.

Here’s how automated deletion periods work:

• Retention rules: Administrators can define how long different types of data should be stored. These rules can be adapted to legal requirements, internal policies, or operational needs.

• Automatic deletion: The system deletes data automatically once the retention period expires, ensuring that storage and data protection policies are consistently met.

• Categorisation: Data can be classified by document type, sensitivity, or purpose – for example, applications, contracts, or patient records. Each category follows its own legal requirements and has different deletion periods.

• Notifications: Automated alerts inform users how long data will remain available, ensuring that everyone is aware of upcoming deletions in good time.

Automated deletion periods are useful not only for GDPR-relevant data. They also help regularly clear out expired contracts, outdated project files, or personnel records – improving clarity, security, and compliance in everyday operations.

Automated deletion with FTAPI

FTAPI offers flexible ways to implement retention and deletion periods in full compliance with the GDPR:

When sending confidential files via FTAPI SecuMails, you can define how long documents remain accessible – both globally and individually for specific emails.

In FTAPI SecuRooms, automatic deletion periods can be configured individually for each data room. In addition, the upcoming global deletion periods feature will soon allow you to centrally define how long files are retained before they are automatically deleted across all virtual data rooms. Data that has been automatically captured via FTAPI SecuFlows Advanced is also automatically deleted from the SecuRooms once the defined retention period has expired.

This ensures that data remains up to date, relevant, and legally compliant – without the need for manual intervention. The system enforces the rules automatically, while data room owners can set shorter deletion periods if required.

In this way, FTAPI enables organisations to manage deletion processes securely, efficiently, and transparently – an important step towards greater compliance and secure data exchange within the company.

Why automated deletion is worth it: Key benefits at a glance

Overall, automated deletion processes offer clear advantages for every organisation:

• Cost efficiency: Unused or duplicate data is automatically removed, saving storage space and reducing operating costs.

• Productivity: A well-organised data structure makes it easier to find relevant information and speeds up workflows.

• Security: Old files may contain sensitive information. Automatic deletion reduces the risk of data leaks or unauthorised access.

• Compliance: Legal retention and deletion periods are reliably observed – without manual effort or the risk of error.

Especially in highly regulated sectors such as finance, healthcare, or law, automated deletion ensures lasting data security and strengthens trust.

Conclusion: Adhering to deletion periods builds trust

Ultimately, anyone who processes personal data carries responsibility. Clear deletion periods and automated processes are more than just a legal obligation – they demonstrate that data protection is actively practised within the organisation.

A well-designed deletion policy ensures that data is stored only for as long as necessary – and then securely removed. This protects sensitive information, keeps systems lean, and reduces risks associated with outdated data. At the same time, it fosters transparency and trust, both internally and externally.

With modern solutions such as FTAPI, these processes can now be implemented securely and automatically – making data protection an integral part of an efficient and responsible corporate culture.