Back to the blog
GDPR 7 min read

Data retention for businesses: how long can you keep data?

There is no magic number in the GDPR. There is a principle: keep data only as long as the purpose requires, and be able to show why. Here is what that means in practice, with common retention periods per data type and a simple policy you can write in an hour.

The short answer

The GDPR sets no fixed time limit for how long companies may store personal data. The storage limitation principle (Article 5(1)(e)) says that data may be kept in identifiable form only as long as it is needed for its purpose. You set the periods yourself, but you must be able to justify them, and delete once the period has expired. In some cases other legislation requires a minimum retention period, such as the Swedish Bookkeeping Act's seven years for accounting records. Then that applies.

Common retention periods per data type

Reference values that many Swedish companies land on. Check them against your own situation, and with IMY if you are unsure:

Data typeCommon retention periodWhy
Accounting records (invoices, receipts)7 yearsRequired by the Swedish Bookkeeping Act
Contracts with customers and suppliersThe contract term + up to 10 yearsGeneral limitation period for claims
Customer recordsAs long as the customer relationship is activeThe purpose: delivering and providing support
Newsletter subscribersUntil they unsubscribeConsent is the basis, delete when it is withdrawn
Job applications (not hired)Common practice around 2 yearsAbility to respond to discrimination claims
Visitor data / web analytics30 to 365 daysYour reporting needs decide, shorter is better
Server logsWeeks to a few monthsDebugging and security, then erasure

Write the policy in an hour

  1. List the data types. Go through which personal data you actually hold: customer records, email, analytics, logs, job applications.
  2. Set a purpose and a period per row. A table with four columns is enough: data type, purpose, retention period, where it lives. In practice this satisfies most of the documentation requirement in Article 30.
  3. Decide how deletion happens. Who does it, when, and how is it confirmed? This is the point where most policies fail.
  4. Review annually. New systems, new data types, new periods.

Let the technology enforce the policy for you

A retention period on paper that nobody enforces is worse than none at all, it proves in black and white that you know what should be deleted. Systems that handle the erasure automatically remove the whole problem. Our web analytics is built that way: data retention is 7 days, 90 days or 12 months depending on plan (the free plan shows the last 7 days while the data is stored for 90), deletion happens at the database level once the period expires, and backups follow the same schedule. The policy enforces itself.

If a provider processes data on your behalf, the retention periods must also be regulated in a data processing agreement (DPA). Ours is included for every customer, in Swedish and under Swedish law.

Frequently asked questions

How long can a company store personal data?

For as long as the data is needed for the purpose it was collected for, no longer. The GDPR sets no fixed time limit, it requires you to decide and justify the retention period per purpose yourself. Other legislation can require a minimum period, for example the Swedish Bookkeeping Act’s seven years for accounting records.

What is storage limitation?

One of the GDPR’s core principles (Article 5(1)(e)): personal data may not be kept in identifiable form longer than necessary. In practice this means defined retention periods, and deletion or anonymization once the period has expired.

Do we need a data retention policy?

The GDPR does not require a document with that exact name, but the accountability principle (Article 5(2)) and the records of processing (Article 30) require you to show which data you hold, why, and when it is erased. A simple table with data type, purpose, retention period and location goes a long way.

How long should website visitor data be kept?

For ordinary traffic analytics, 30 to 365 days is usually enough. Pick the shortest period that covers your reporting needs: monthly reports manage on 90 days, year-over-year comparisons need 12 months. Best of all is when the tool deletes automatically once the period expires.

What happens if we keep data too long?

Storage without a valid purpose is a GDPR violation and can lead to an administrative fine in a supervisory review. Old data is also a pure liability in a data breach: what no longer exists cannot leak.

We are not lawyers, but we have built a product where storage limitation is the default. If you need to go deep on your own erasure routines, talk to a GDPR lawyer or read IMY's guidance.

Further reading: Data retention in Spårlös · You own your data · Is Google Analytics legal in Sweden in 2026?.

Analytics with built-in erasure

History for 7 days, 90 days or 12 months depending on plan, and everything is deleted automatically when the retention period expires. EU-hosted, cookie-free, Swedish DPA included. 14-day Pro trial, no card required.

Data retention for businesses: how long can you keep personal data? | Spårlös