A little more than one year after the entry into force of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation or “GDPR”), it seems there still remain many gray areas. This is particularly true with respect to retention periods for different categories of data collected and processed by data controllers.
To that end, DSM Avocats à la Cour presents a summary table for the Luxembourg GDPR retention periods for the personal data that is most often collected and processed by data controllers, as well as the associated retention periods to fill in those gaps and assist the various entities in the Grand Duchy with setting the retention periods for the personal data they process.
DSM makes available to all this table on the retention periods, all the while reminding its users that it is not exhaustive and bringing to their attention the fact that it may be outdated. DSM will use its best efforts to update it pursuant to any applicable legislative and regulatory developments. Nonetheless, DSM may not be held liable for any possible errors, omissions or the outdatedness of legal bases for the table. Users are hereby made aware of this point and the fact that it is their responsibility to keep themselves informed of such developments.