Data Privacy and Information Security Laws by Country
Data Retention and Disposal: An Overview of Global Privacy Regulations
Organizations operating globally must navigate a complex landscape of data privacy and information security laws, many of which explicitly or implicitly mandate the retention and timely disposal of personal data. From comprehensive regional frameworks like the European Union’s General Data Protection Regulation (GDPR)—which emphasizes data minimization and storage limitation—to national laws across jurisdictions like Australia, the United States, Canada, and beyond, businesses face strict obligations to ensure personal data is retained only as long as necessary, securely managed, and properly disposed of when no longer needed.
This overview summarizes key laws, regulations, and frameworks across twelve countries (Australia, United States, Canada, United Kingdom, France, Germany, Switzerland, Belgium, The Netherlands, Spain, Italy, and Austria), highlighting how each jurisdiction balances privacy, compliance, security requirements, and data lifecycle management. Understanding these regulations is essential not only for legal compliance but also for building trust and reducing risk in an increasingly privacy-conscious world.
Below is a structured summary of the primary data privacy and security frameworks for each country, detailing their implications for data retention and disposal.
This information should likely be taken in concert with applicable industry standard frameworks such as Data Retention Requirements: ISO 27001 and SOC 2 Frameworks that may apply to your organization.
Australia
Privacy Act 1988 (National) – Australia’s primary data privacy law, which includes the Australian Privacy Principles (APPs). It governs how personal information is handled by federal agencies and many private organizations. Notably, APP 11 (Security of Personal Information) requires entities to protect personal data and to destroy or de-identify personal information once it is no longer needed for the purpose it was collected, unless retention is required by law (Chapter 11: APP 11 Security of personal information | OAIC). In practice, this means there is no fixed retention period under the Act, but organizations must not keep personal data longer than necessary and must dispose of it securely when no longer required.
Telecommunications (Interception and Access) Act 1979 – Data Retention Obligations (National) – Australia’s data retention law (amended in 2015) that mandates telecommunications service providers retain certain metadata (phone numbers, times, IP addresses, etc.) for at least 2 years (https://www.homeaffairs.gov.au/nat-security/Pages/Data-retention-obligations.aspx ) This is an information security/surveillance measure requiring companies to store communications data for law enforcement and national security access. After the 2-year period, the data should be disposed of, though the law sets a minimum retention duration (providers may keep it longer if not otherwise restricted).
(Australia also has state-level privacy laws for state government data and regulations like the Notifiable Data Breaches scheme under the Privacy Act, which reinforce secure handling and timely deletion of personal information.)
United States
HIPAA – Health Insurance Portability and Accountability Act (National, Health sector) – A federal law protecting medical information privacy and security. The HIPAA Privacy Rule does not set specific record retention periods for medical data (those are generally set by state laws), but it requires that covered entities implement policies to safeguard and securely dispose of protected health information (PHI) (Frequently Asked Questions About the Disposal of Protected Health Information ). For example, healthcare organizations must use reasonable safeguards (shredding, wiping electronic media, etc.) to ensure PHI is unreadable upon disposal (Frequently Asked Questions About the Disposal of Protected Health Information ). (Note: HIPAA administrative requirements do mandate retaining compliance records for 6 years, but patient data retention timelines are left to other laws.)
GLBA – Gramm-Leach-Bliley Act (Safeguards Rule) (National, Financial sector) – A federal law for financial institutions’ data security. The Safeguards Rule (amended by the FTC in 2021) requires institutions to have an information security program including controls for data retention and disposal. It explicitly states organizations must securely dispose of customer information when it’s no longer needed, with a general rule to delete it no later than two years after last use (unless a longer retention is legally required or for a legitimate business need) (FTC Strengthens GLBA Information Security Requirements | Davis Wright Tremaine). This effectively imposes a maximum retention period in many cases and mandates proper disposal of financial customers’ personal data.
FACTA (Fair and Accurate Credit Transactions Act) – Disposal Rule (National) – This regulation under FACTA (which amended the Fair Credit Reporting Act) applies to any business that uses consumer credit reports. It requires such businesses to take reasonable measures to dispose of consumer report information to prevent unauthorized access or misuse (FACTA Disposal Rule Goes into Effect June 1 | Federal Trade Commission). In practice, companies must shred, erase, or otherwise destroy personal data derived from credit reports once retention is no longer necessary, to protect consumer privacy.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (Regional/State – California) – Landmark state privacy laws (2018, amended 2020) that influence national practices. They give California residents rights over personal data and impose duties on businesses. Under the CPRA (effective 2023), businesses must disclose how long they retain each category of personal information and not keep it longer than “reasonably necessary” for the disclosed purpose (Preparing For The CPRA Part 2: Changes To Data Retention Requirements: Atkinson, Andelson, Loya, Ruud & Romo) (Preparing For The CPRA Part 2: Changes To Data Retention Requirements: Atkinson, Andelson, Loya, Ruud & Romo). Consumers have a right to deletion of their data, and businesses must honor deletion requests for data that is not needed for an ongoing legitimate purpose or legal obligation. These laws thus encourage data minimization and prompt disposal once data is no longer required.
State Data Disposal and Security Laws (Regional – various states) – Aside from California’s privacy law, over 30 U.S. states have laws requiring secure disposal of personal information held by businesses (U.S. State-Specific Data Disposal Laws - Blancco) (U.S. State-Specific Data Disposal Laws - Blancco). For example, California Civil Code §1798.81 (part of California’s disposal law) requires businesses to shred, erase or modify personal data when disposing of customer records (U.S. State-Specific Data Disposal Laws - Blancco). Other states (e.g. New York, Massachusetts, Illinois, etc.) similarly mandate that companies destroy or render unreadable any personal data they no longer need. Additionally, many states require “reasonable security practices” for personal information, which include having data retention limits and proper disposal as part of an overall information security program.
(The U.S. has a sectoral patchwork of laws rather than one comprehensive law. Other examples include FERPA for educational records and COPPA for children’s online data, which have their own retention or deletion rules. In the absence of a single national privacy law, companies often follow industry standards (like NIST guidelines) and contract requirements for data retention and deletion, in addition to these laws.)
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA) (National) – Canada’s federal private-sector privacy law. PIPEDA requires organizations to follow principles limiting collection, use, and retention of personal data. Under Principle 5 (Limiting Use, Disclosure, and Retention), personal information “shall be retained only as long as necessary” to fulfill the purposes for which it was collected (Personal Information Protection and Electronic Documents Act). Once information is no longer needed, organizations “should destroy, erase, or anonymize” it, per PIPEDA guidelines (Personal Information Protection and Electronic Documents Act). In practice, businesses must establish retention policies (including minimum and maximum periods) and dispose of personal data securely when those periods expire or the data is no longer required. PIPEDA thus implies data disposal as a necessity tied to the original purpose of collection.
Privacy Act (R.S.C. 1985) (National) – The Canadian Privacy Act applies to federal government institutions. It requires government agencies to handle personal information in accordance with fair information practices, including retaining personal data only as long as needed for legal or operational purposes. Federal institutions must dispose of personal information when it is no longer required by transferring records to Library and Archives Canada or by secure destruction, in line with record disposition authorities. In essence, the Privacy Act mandates that personal data held by government be discarded securely once it is no longer needed, ensuring outdated information doesn’t linger unnecessarily.
Provincial Privacy Laws (Regional) – Several provinces have their own private-sector privacy laws that are “substantially similar” to PIPEDA, and health information privacy laws, which also include retention and disposal rules. For instance, Quebec’s Law 25 (2021 amendments to its private-sector privacy act) explicitly requires organizations to have a retention schedule and to destroy or anonymize personal information once the purposes for which it was collected are achieved. British Columbia’s and Alberta’s Personal Information Protection Acts similarly mandate that personal data must not be kept indefinitely. These provincial laws reinforce the principle that data should be erased when no longer needed, and they often include penalties if organizations retain data unnecessarily or fail to securely dispose of it.
United Kingdom
UK GDPR (General Data Protection Regulation) (Regional/National) – After Brexit, the UK adopted its own version of the EU GDPR. The UK GDPR enshrines core principles of data protection, including “storage limitation,” which means personal data must not be kept longer than necessary for its purpose (Purpose limitation, data minimisation and storage limitation | ICO). Organizations in the UK must have retention policies and are expected to erase or anonymize personal data once it is no longer needed for the purpose it was collected (Purpose limitation, data minimisation and storage limitation | ICO). The UK GDPR also provides individuals the right to erasure (right to be forgotten), obligating data controllers to delete personal data that are no longer required.
Data Protection Act 2018 (National) – The DPA 2018 is the UK’s implementing legislation for GDPR and covers areas GDPR doesn’t explicitly, such as law enforcement and intelligence data processing. It reinforces the requirements of the UK GDPR. Under this Act, organizations must adhere to data protection principles (including storage limitation) and ensure secure disposal of personal data. The DPA 2018 makes it clear that not complying with deletion requirements (for example, retaining data without a legal basis) can lead to enforcement action by the UK Information Commissioner’s Office.
Privacy and Electronic Communications Regulations (PECR) (National/Regional) – These regulations (stemming from the EU e-Privacy Directive) govern electronic communications data. PECR requires telecom and internet service providers to respect user privacy in communications. Traffic data (call logs, message routing info, etc.) may only be retained as long as needed to transmit the communication or for billing, and must be erased or anonymized once no longer required for those purposes (Traffic data | ICO). In practice, as soon as a phone call is concluded or an email delivered (and the data is not needed for billing or an allowed purpose), the service provider should delete or anonymize the related traffic data. This rule effectively mandates routine disposal of communications metadata, except where law enforcement retention requirements apply or the user has consented to a longer retention (for value-added services).
Investigatory Powers Act 2016 (National) – A UK security law that, among many surveillance provisions, allows the government to issue Retention Notices to telecom operators. Under this Act, telecom and internet providers can be required to retain communications data for up to 12 months for law enforcement and intelligence purposes ([[PDF] DATA RETENTION is a key part of the Investigatory Powers Act ...](https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/03/Data-Retention.pdf#:~:text=,may be required to)). For example, a provider might be ordered to keep records of phone calls, text, and internet connections for one year. This is a mandated retention (focused on metadata, not content) that overrides the general data minimization principle during that period. After 12 months (or earlier if the notice specifies a shorter time), the provider should delete the data. (The IPA built upon the earlier Data Retention and Investigatory Powers Act, and while parts of it have been challenged in UK courts, as of 2025 a framework for 12-month retention with safeguards remains in effect.)
France
EU General Data Protection Regulation (GDPR) (Regional) – France, as an EU member (at least until 2025), is under the GDPR for data privacy. The GDPR imposes principles of data minimization and storage limitation, requiring French organizations to only keep personal data as long as necessary and then delete or anonymize it. Companies and public bodies in France must set retention periods for personal information and cannot retain data “just in case” indefinitely (Purpose limitation, data minimisation and storage limitation | ICO). The GDPR’s Article 5(1)(e) and Recital 39 specifically say personal data must be erased or archived (in an appropriate form) when no longer needed. Non-compliance (failing to dispose of expired data) can lead to enforcement by France’s data protection authority, CNIL.
French Data Protection Act (“Loi Informatique et Libertés” 1978, modified 2018) (National) – This law, amended to align with the GDPR, supplements the GDPR in France. It establishes the CNIL and contains national rules (for example, on use of national identification numbers, or data processing for public interests). It reinforces that data controllers in France must define a data retention period for each type of personal data and informs data subjects of these periods. Under this law, organizations are expected to delete or archive data after the retention period expires. CNIL guidance under the French law provides benchmarks (e.g., many HR records = 5 years; medical records = 20 years, etc.) (Sheet n°14: Define a data retention period - CNIL), and CNIL has not hesitated to fine companies for keeping personal data longer than necessary (Data retention period and data security: the CNIL fined PAP 100000 ...). In summary, France’s national law works with GDPR to ensure data is not retained indefinitely and is disposed of when no longer required.
Electronic Communications Data Retention (French Security Laws) (National) – France has had specific regulations requiring telecom operators and online service providers to retain certain metadata for law enforcement. Telecom operators and internet hosts in France have been required to retain connection data for up to 12 months (French administrative court walks data retention tightrope – POLITICO). For example, phone call records, text message metadata, IP addresses, and location data were to be kept for one year under decrees implementing a 2006 data retention directive and later national security laws. These rules have been controversial: in 2021, France’s Conseil d’État (Council of State) ordered the government to revise its blanket 12-month retention regime to comply with EU Court of Justice rulings (French administrative court walks data retention tightrope – POLITICO). As of 2025, France still temporarily requires general retention of communications data for security reasons, but this is under constant legal review (French administrative court walks data retention tightrope – POLITICO) (French administrative court walks data retention tightrope – POLITICO). Outside of this law enforcement context, French law (via GDPR and the Data Protection Act) expects that personal data held by businesses (e.g., customer data) be disposed of once it’s no longer needed.
Cybersecurity and Information Security Requirements (National/European) – France also implements information security frameworks such as the Network and Information Systems (NIS) Directive (via the French “Loi de Sécurité des Systèmes d’Information”) for critical infrastructure. While these primarily mandate security measures (incident reporting, protection of systems), they can implicitly influence data retention—e.g. requiring logs to be kept for a certain time for security monitoring. However, they do not typically mandate retention of personal data beyond what privacy laws allow. The focus remains that any retained data (even for security) must be justified and securely disposed of when no longer needed.
Germany
EU General Data Protection Regulation (GDPR) (Regional) – Germany operates under the GDPR, which strictly requires data storage limitation. Organizations in Germany must delete personal data when it’s no longer necessary for the purpose collected. This is a legal obligation under Art. 5 GDPR, and individuals have the right to demand erasure of data that’s outdated or unlawfully retained. German companies often implement detailed retention schedules to comply. For instance, customer data might be set to purge after X years once the business purpose is done, unless a law (tax, etc.) mandates longer retention. GDPR’s influence in Germany means data disposal is a standard part of compliance – keeping data without purpose can lead to fines.
Bundesdatenschutzgesetz (BDSG) (National) – Germany’s Federal Data Protection Act, updated in 2018 to align with GDPR, adds German-specific rules. It covers areas like employee data processing and certain public-sector provisions. The BDSG upholds the principle that personal data should be erased when it’s no longer needed. For example, employee personal data must be deleted after statutory retention periods (like payroll records retention) expire. The BDSG doesn’t set specific timeframes for most data (those come from sectoral laws), but it emphasizes compliance with GDPR principles and provides that violations (including over-retention) can be penalized. In sum, the BDSG reinforces that unnecessary retention of personal info is unlawful in Germany, and data must be disposed of properly once its purpose is fulfilled.
Telecommunications & Telemedia Data Protection Act (TTDSG) and Legacy Telecom Laws (National) – Germany’s TTDSG (in force since Dec 2021) governs privacy of electronic communications (cookies, telecom privacy, etc.). It carries forward requirements from the ePrivacy Directive that telecom providers erase or anonymize traffic data when no longer needed for providing the service or billing. Separately, Germany attempted to institute mandatory telecommunications data retention: a 2015 law required telecom companies to retain call and internet metadata for 10 weeks and location data for 4 weeks for investigative purposes. However, this German data retention law has been suspended due to court rulings and is not enforced (What is data retention - and why we need to fight it! | Tuta). In 2010 the German Constitutional Court struck down an earlier retention law as unconstitutional, and in 2022 Germany acknowledged the EU Court’s decisions against blanket retention – effectively, as of 2025, Germany has no general data retention in force, making it one of the few EU countries without one (Austrian government hacking law is unconstitutional - European Digital Rights (EDRi)). Any required retention is now expected to be targeted (e.g., preserving specific data for specific suspects) rather than bulk. The norm for German companies is thus to follow normal privacy rules: delete personal communications data when no longer needed, unless a specific narrow exception applies.
IT Security and Other Sectoral Laws (National) – Germany’s IT-Sicherheitsgesetz (IT Security Act) and related regulations require certain industries (critical infrastructure, telecom, etc.) to maintain log data and incident records. While these laws focus on protecting data from breaches, they may indirectly set retention guidelines (for instance, requiring log files to be kept for X months for analysis). Companies in finance or healthcare might also face rules on record retention (e.g., financial records 10 years for compliance). Importantly, those sectoral retention requirements must be balanced with data protection—companies must delete personal data once legal retention periods (from tax, commercial, or sector laws) expire. German law also encourages data anonymization for long-term retention: e.g., instead of keeping identifiable personal data indefinitely for statistics, companies should anonymize it.
Switzerland
Federal Act on Data Protection (FADP) (National) – Switzerland’s main data protection law (revised FADP effective September 2023). This law governs personal data processing by private companies and federal authorities, similar in spirit to GDPR. It embodies principles of good faith, proportionality, and purpose limitation. Under the FADP, personal data should only be kept for as long as required to achieve the purpose for which it was collected. Although the FADP doesn’t stipulate exact timelines for retention, it implies that once the purpose is achieved or data is no longer needed, the data must be deleted or anonymized. Organizations are expected to establish retention policies and cannot keep personal information indefinitely “just in case.” The law also grants individuals the right to request deletion of their data. Non-compliance (e.g., keeping data without justification) can lead to penalties or orders from the Swiss Federal Data Protection and Information Commissioner.
Ordinance to the FADP and Sectoral Guidelines (National) – Accompanying the FADP are various ordinances and guidelines. For example, the new law requires transparency, so companies must inform data subjects about how long their data will be stored or the criteria used to determine retention. In practice, Swiss regulators encourage companies to align with GDPR-like practices: define data retention periods and dispose of personal data safely afterwards. Sector-specific Swiss laws (e.g., banking secrecy laws, health data regulations) also often include provisions to destroy or archive data securely after a certain period. Overall, the framework in Switzerland mandates data disposal as a part of the lifecycle – data should not linger beyond its intended use.
Federal Law on the Surveillance of Postal and Telecommunications Traffic (“BÜPF”) (National, Security) – This law (last revised 2018) imposes data retention duties on telecom/Internet providers in Switzerland. Under the BÜPF, major telecom operators and ISPs must retain telecommunications metadata for 6 months for potential criminal investigations (Data retention - Wikipedia) (Data retention - Wikipedia). This includes phone call details, SMS metadata, IP address logs, and email routing information. After six months, the providers are required to delete the data. The BÜPF is essentially Switzerland’s equivalent of a data retention mandate (with a shorter period than many EU countries had). Notably, this law was approved by Swiss voters and there is no constitutional court to overturn it, so it remains in force. However, Switzerland limits retention to six months and excludes certain providers (e.g., encrypted email services like ProtonMail are exempted from data retention) (Data retention - Wikipedia). Aside from this law enforcement-focused retention, Swiss companies are generally expected to follow the FADP’s rules for other personal data, meaning they should dispose of personal data when it’s no longer needed for the business purposes or legal obligations.
Belgium
EU General Data Protection Regulation (GDPR) (Regional) – Belgium, as an EU member, enforces the GDPR. The GDPR’s requirements for storage limitation apply fully: Belgian organizations must not retain personal data longer than necessary and must erase or anonymize data once it’s obsolete with respect to its original purpose. Individuals in Belgium have the right to request deletion of data, and the Data Protection Authority (Gegevensbeschermingsautoriteit/Autorité de protection des données) can sanction entities for excessive data retention. GDPR thus underpins a strong expectation of timely data disposal in Belgium.
Belgian Data Protection Act of 30 July 2018 (National) – This law implements and supplements the GDPR in Belgium. It repealed the older 1992 Privacy Act. While the GDPR is directly applicable, the 2018 Act provides specific rules (e.g., on processing of national identification numbers, and on the Data Protection Authority’s powers). It affirms that controllers must respect the principles of data processing, including not keeping personal data beyond what is needed. The Belgian DPA (authority) has issued guidance that organizations should define retention periods and securely destroy personal data afterward. For instance, HR data or customer data should be disposed of after the statutory retention term (like tax or contractual limitation period) ends, rather than kept indefinitely. Failure to do so can violate the Act (and GDPR). In short, Belgium’s national law reinforces data disposal obligations and provides enforcement mechanisms at the national level.
Data Retention for Electronic Communications (National) – Belgium has had a turbulent history with mandated data retention. A 2016 law required telecom operators to retain phone and internet metadata for 12 months, aiming to assist in crime and terrorism investigations. However, in April 2021 the Belgian Constitutional Court annulled the 2016 data retention law for being too broad and indiscriminate (Belgian Constitutional Court Annuls Data Retention Framework for Electronic Communications Data) (Belgian Constitutional Court Annuls Data Retention Framework for Electronic Communications Data). This followed CJEU rulings that blanket retention violates fundamental rights. The court did allow that targeted or exceptional retention could be legal, but the sweeping one-year retention of all citizens’ data was struck down. As a result, by 2022 Belgium has been working on new legislation to comply with EU requirements (e.g. perhaps restricting retention to serious threats or using a quick-freeze approach). As of 2025, there is no general data retention obligation in force in Belgium – telecom companies are not keeping all metadata by default, except to the extent needed for their business (billing, etc.) or any new limited scheme. This means the default is to delete communications data when no longer needed for service, consistent with privacy law. (Belgium’s situation exemplifies the push-pull between security laws and privacy rights: earlier retention was mandated, but privacy frameworks ultimately require deletion of data absent a strong justification.)
Information Security Laws (National/European) – Belgium also implemented the NIS Directive via a national law to ensure cybersecurity for critical services. While such laws don’t directly impose data disposal rules for personal data, they do require companies to protect information (e.g., through access controls, incident logging). Companies might keep security logs for some months as part of compliance. However, these logs, if containing personal data, would still fall under GDPR/Belgian law – meaning they should be purged when no longer needed. Additionally, Belgium’s Data Protection Authority encourages pseudonymization or anonymization techniques, which can allow organizations to retain useful data in a privacy-compliant way (since anonymized data is no longer personal data).
The Netherlands
EU General Data Protection Regulation (GDPR) (Regional) – The Netherlands adheres to the GDPR for all personal data processing. The GDPR’s principle of storage limitation requires Dutch organizations to erase personal data when it is no longer necessary for the purpose collected. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) expects organizations to define retention terms in their record of processing. Keeping data “forever” without justification is illegal. The GDPR also gives Dutch individuals rights to deletion of their data. In practice, Dutch companies must regularly purge outdated personal information (for example, delete customer data a certain time after the relationship ends, unless required by law to keep it). Non-compliance can result in fines under the GDPR’s enforcement regime.
Uitvoeringswet AVG (Implementation Act for GDPR) (National) – The Netherlands passed this law in 2018 to implement certain flexibilities of the GDPR. It doesn’t deviate from the GDPR’s fundamentals but provides specifics for Dutch context (e.g., age of consent set to 16, rules for certain public-sector data, etc.). Regarding data retention, the Dutch Implementation Act upholds that controllers must indicate how long personal data will be stored or the criteria for that. Dutch authorities have issued guidance that, for instance, employee data should be deleted after statutory periods (like job applicant data after 4 weeks if the person isn’t hired, unless consent to keep longer). Thus, the national law works in tandem with GDPR to ensure data is not kept longer than necessary and is disposed of properly.
Telecom Data Retention Law (National, annulled) – The Netherlands had a data retention law implementing the EU directive, which required telephone companies to store call data for 12 months and ISPs to store internet data for 6 months (Data retention: Netherlands court strikes down law as breach of privacy | Data protection | The Guardian). However, in March 2015 a Dutch court struck down this law as a breach of privacy (Data retention: Netherlands court strikes down law as breach of privacy | Data protection | The Guardian) (Data retention: Netherlands court strikes down law as breach of privacy | Data protection | The Guardian). The court ruled that the blanket retention of all citizens’ communications data was too intrusive, especially after the EU directive was invalidated. Following that ruling, Dutch telecom providers stopped retaining traffic data beyond their own business needs, and the government did not enforce a replacement law (efforts to introduce a revised, more targeted retention regime have stalled). Therefore, as of 2025, there is no general obligation in the Netherlands to retain communications metadata; providers delete traffic data once it’s no longer needed for purposes like billing or network quality, in line with ePrivacy rules. (Any new retention requirements would have to be carefully balanced and have not been adopted due to the privacy implications and ongoing EU-wide debates.) This means that apart from narrowly scoped scenarios, data disposal is the default after use.
Sectoral Retention Rules – The Netherlands does have various other laws that indirectly set retention times (e.g., tax law requires companies to keep financial records 7 years, employment law mandates keeping certain employee records 5 years after termination, etc.). Organizations must comply with these, but once those periods lapse, the Dutch Archiving Act or other regulations require records be destroyed or transferred to archives. For personal data, after meeting such legal retention, the data should be erased in compliance with the GDPR. The Dutch government also promotes pseudonymization for long-term data use (for example in healthcare research) so that personal identifiers are removed when keeping data for research or historical purposes. In summary, outside of specific legal duties, Dutch law and regulation strongly favor timely deletion or anonymization of personal information.
Spain
EU General Data Protection Regulation (GDPR) (Regional) – Spain enforces the GDPR as its core data protection framework. This means Spanish organizations must abide by principles like data minimization and storage limitation. Personal data should be kept only for as long as necessary and then deleted. The Spanish Data Protection Authority (AEPD) can audit companies on whether they have appropriate deletion routines. GDPR rights (like the right to erasure) are fully available in Spain, so individuals can request companies to remove data that’s no longer needed. The GDPR’s high fines have pushed Spanish companies to implement stricter data retention policies, ensuring data disposal (borrado) after the allowed period.
Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) (National) – Spain’s national data protection law, which supplements the GDPR. Enacted in late 2018, it includes specific provisions and clarifications for Spain (such as rules about data of deceased persons and digital rights in the workplace). LOPDGDD reinforces the GDPR’s requirements and in some cases provides explicit retention guidance. For instance, it contains provisions that certain HR or curriculum vitae data should not be kept beyond a certain time unless consent is renewed. It also introduced the concept of “Data Protection Officer” obligations in Spain. Regarding retention/disposal: the law doesn’t list generic periods, but it supports the idea that when the legal or agreed retention period ends, personal data must be either deleted or anonymized. Spanish regulators often reference this law when penalizing organizations for keeping data longer than declared in their privacy policies.
Data Retention Law (Law 25/2007) (National, Communications) – Spain implemented the EU Data Retention Directive via Law 25/2007 of October 18, 2007, which requires telecom and internet providers to retain certain traffic and location data. Under this law, companies had to retain telephone and internet metadata for 12 months for the purpose of investigating serious crimes (Spain introduces new law on the retention of data related to electronic communications and public communications networks - Lexology) (Spain introduces new law on the retention of data related to electronic communications and public communications networks - Lexology). This included data like the source and destination of communications, timestamps, and location data of mobile devices, but not the content of communications. The standard retention was one year, and the law allowed the government to adjust retention between 6 months and 2 years by regulation (Spain introduces new law on the retention of data related to electronic communications and public communications networks - Lexology). Notably, since the invalidation of the EU directive in 2014, Spain’s law has been under scrutiny. The Spanish Constitutional Court has not struck it down (as of the last known status), so formally it’s still on the books. However, Spanish authorities likely apply it in line with EU court guidance – meaning generalized retention should be used only for national security or very serious threats. In everyday practice, Spanish telcos retain data as required by law but must ensure it is securely deleted after the 12-month period expires (unless an extension is legally ordered for a specific case). Outside this context, companies in Spain follow GDPR/LOPDGDD – e.g., a bank in Spain will delete a customer’s personal data a certain number of years after the account is closed (once legal obligations lapse).
National Security and Digital Rights – Spain’s LOPDGDD also included a chapter on digital rights which, among other things, addresses the right to privacy in digital communications and online services. Combined with the Spanish Constitution’s privacy protections, there is an environment where undue retention of personal data can be challenged as a rights violation. Spain also has an Esquema Nacional de Seguridad (ENS) (National Security Framework) that public administrations must follow to protect information systems – it requires classification of data and appropriate handling. While ENS is more about security controls, it indirectly means that outdated personal data in government systems should be archived or deleted according to records laws. In summary, Spanish law expects both public and private sectors to purge personal data when it is no longer justified to keep it, with robust legal backing for individuals to demand that purge.
Italy
EU General Data Protection Regulation (GDPR) (Regional) – Italy, like other EU countries, follows the GDPR. The GDPR principles (especially data minimization and storage limitation) are fully applicable. Italian businesses and government agencies must ensure personal data is erased once it’s no longer needed. Italy’s supervisory authority, the Garante per la Protezione dei Dati Personali, oversees this; it has issued fines to entities retaining data excessively. Italians also enjoy the GDPR right to erasure, meaning they can request deletion of their data (for example, an Italian user can ask a social network to remove their old information when there’s no reason to keep it). The GDPR culture in Italy emphasizes that collecting less data and deleting unused data reduces risk.
Italian Personal Data Protection Code (Legislative Decree 196/2003, as amended by D.Lgs. 101/2018) (National) – This is Italy’s comprehensive data protection law which was adjusted to align with GDPR. It contains specific provisions for certain sectors (like employment, journalistic data, etc.) and established the Garante as the authority. Under this Code, the general rule is that controllers must limit retention of personal data. One explicit provision (Art. 132 of the Code) historically set retention requirements for telecommunication data for justice purposes (which we discuss below). Apart from that, the Code and Garante guidelines instruct that personal data should be deleted or anonymized when it is no longer necessary. For example, Italy has guidelines that customer credit information should be deleted after a set number of years, and video surveillance recordings should be overwritten typically after 24 hours unless an incident requires longer keeping. The Italian law, therefore, reinforces that data disposal is mandatory once purposes are exhausted, subject to archival obligations.
Data Retention Obligations for Communications (National) – Italy has had one of the longest data retention mandates in the EU (under a series of laws and emergency decrees). By default, Italian law (per the Privacy Code’s Article 132 and subsequent amendments) required telcos to retain telephone traffic data (excluding content) for 24 months and internet access data for 12 months (The Long and Winding Road). In 2017, amid terrorism concerns, Italy passed Law 167/2017 (an “European Law” implementing EU directives) which extended the retention period to 72 months (6 years) for telephone and internet data in cases of serious crimes (The Long and Winding Road). This blanket 6-year retention was extraordinary and effectively turned what should be an exception into a general rule (The Long and Winding Road). The extension has been highly controversial. In 2021, the Court of Justice of the EU in the Tele2/Watson line of cases made clear that such general retention (especially for 6 years) is inconsistent with EU law on privacy. Italy has been reassessing these requirements. As of 2025, Italy technically still has legislation for long-term data retention for certain crimes, but it is under legal challenge and not fully enforced pending alignment with EU law. In practice, Italian telecom providers do keep data for extended periods under government orders, but this is expected to be curtailed significantly to targeted retention. Aside from telecom records, Italian law sets specific retention in other areas (e.g., employment records 10 years, CCTV 7 days by default, etc.), but once those periods end, data must be deleted. In summary, Italy’s law historically mandated some of the longest retention, but European jurisprudence is pushing it back to ensure that when data is no longer needed for a permitted purpose, it must be disposed of.
Data Disposal and Security Practices – Italian regulations stress proper destruction of data. For instance, when disposing of paper records containing personal data, Italian companies often use shredding consistent with EU standards and when disposing of electronic media, follow guidelines (sometimes referencing standards like ISO/IEC 27001 or Italy’s national cybersecurity framework). The Garante has issued best practices, such as requiring anonymization of certain datasets after X years for research, rather than keeping identifiable info. Under Italy’s Cybersecurity Act 2021 (which set up the National Cybersecurity Agency), critical operators must manage data securely – which includes not retaining sensitive personal data longer than necessary to avoid breaches. In essence, Italy’s approach is two-fold: ensure minimum necessary retention (deleting data when not needed) and ensure secure disposal (so that no personal data can be reconstructed from disposed media).
Austria
EU General Data Protection Regulation (GDPR) (Regional) – Austria implements the GDPR as its data privacy cornerstone. The GDPR’s storage limitation principle is fully recognized: Austrian companies and authorities must not hoard personal data without purpose. Data should be erased once it’s no longer required for the purpose it was collected for. Austrians have the right to request deletion, and the Austrian Data Protection Authority (Datenschutzbehörde) can enforce against organizations that keep data longer than permitted. GDPR compliance in Austria typically means data retention policies are in place and old data sets (with no legal or business need) are regularly purged or anonymized.
Datenschutzgesetz (DSG) (National) – Austria’s Data Protection Act, which works alongside the GDPR. The DSG contains some national adaptations (e.g., on processing of personal data in media, scientific research, and the establishment of the DPA). It does not override GDPR but supplements it. Under the DSG, the fundamental right to data protection is enshrined, and it upholds that unnecessary retention is a violation of that right. While it doesn’t list explicit time frames, it provides the legal basis in Austrian law to demand deletion of data. For instance, Austrian law requires that if someone withdraws consent or if the contract ends, their personal data should be deleted unless there’s a statutory retention duty. The combination of DSG and GDPR in Austria ensures that data disposal is not just a recommendation but a duty tied to the constitutional right to privacy.
Telecommunications Data Retention (Repealed) (National) – Austria had implemented the EU Data Retention Directive in 2012, requiring telecom operators to store communications metadata for 6 months. In June 2014, however, Austria’s Constitutional Court struck down the data retention law as unconstitutional (following the CJEU’s invalidation of the EU directive). The court held that indiscriminate mass retention violated fundamental rights. Since 2014, Austria has not had any general telecom data retention mandate (Austrian government hacking law is unconstitutional - European Digital Rights (EDRi)). This makes Austria, like Germany, an EU country without a current blanket data retention regime. Austrian telecom providers now immediately delete or anonymize traffic data once it’s no longer needed for service delivery or billing, in line with the ePrivacy Directive and Telecom Act. Only targeted retention (with a court order for specific suspects) is allowed. Additionally, in 2019, the Austrian Constitutional Court struck down a law that would have allowed bulk surveillance (license plate scanning data retention) (Austrian government hacking law is unconstitutional - European Digital Rights (EDRi)), reinforcing Austria’s stance against mass data retention. Thus, in Austria, any retention of personal data must be narrowly tailored and justified – otherwise, deletion is required.
Records Management and Disposal – Austrian administrative law (e.g., the Federal Archiving Act) dictates how long official records should be kept and when they should be destroyed or archived. Personal data in public records, once past the retention schedule and not selected for archival preservation, must be securely destroyed. In the private sector, common legal retention periods (tax, accounting records for 7 years, etc.) apply, but after those periods, data should be deleted. The Austrian Standards Institute even provides guidelines for document destruction. Companies often use certified data destruction services for paper and IT assets. In summary, Austria’s legal environment strongly favors timely deletion of personal data, and the absence of data retention laws means the default is to not keep data unless necessary.
Sources: The information above is drawn from a range of legal sources and commentary, including official government publications and international analysis. Key references include: GDPR Art.5 principles on storage limitation (Purpose limitation, data minimisation and storage limitation | ICO), guidance from regulators like the UK ICO on deleting data when no longer needed (Traffic data | ICO), provisions of sectoral laws such as Australia’s Privacy Act APP 11 on disposal (Chapter 11: APP 11 Security of personal information | OAIC), the FTC Safeguards Rule under GLBA mandating disposal after two years (FTC Strengthens GLBA Information Security Requirements | Davis Wright Tremaine), and examples of data retention laws (e.g., France’s one-year rule (French administrative court walks data retention tightrope – POLITICO), Belgium’s struck-down law (Belgian Constitutional Court Annuls Data Retention Framework for Electronic Communications Data), Netherlands’ law overturned in 2015 (Data retention: Netherlands court strikes down law as breach of privacy | Data protection | The Guardian), Spain’s 12-month requirement (Spain introduces new law on the retention of data related to electronic communications and public communications networks - Lexology), Italy’s 72-month extension (The Long and Winding Road), and Switzerland’s 6-month telecom retention (Data retention - Wikipedia)). These illustrate how each jurisdiction balances data privacy (requiring data minimization and destruction) with security or other needs (occasionally requiring retention for a period).
All in all, a common theme across these countries is that data should not be kept forever: laws either directly require deletion of personal information once it becomes unnecessary, or they implicitly encourage it by limiting retention to what is justified and imposing penalties for holding data negligently beyond that. (Chapter 11: APP 11 Security of personal information | OAIC) (https://www.homeaffairs.gov.au/nat-security/Pages/Data-retention-obligations.aspx#:~:text=The%20Telecommunications%20,for%20at%20least%202%20years)) ). (FTC Strengthens GLBA Information Security Requirements | Davis Wright Tremaine) (Purpose limitation, data minimisation and storage limitation | ICO)
Disclaimer: The content provided by the Opus Guard Governance Library is for informational purposes only and does not constitute legal advice. While we strive to offer useful guidelines to assist your understanding and learning, it is important to consult legal counsel or authoritative sources for specific advice relevant to your circumstances.