Retention and Disposal
Plain English Translation
Personal data must not be kept longer than is necessary to fulfil the purpose for which it was collected. Once that purpose has been achieved, or if no longer legally required, the data must be securely disposed of in a manner that prevents further processing. Data cannot be retained indefinitely on the basis of a vague or future purpose that has not yet been defined.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define baseline retention periods for core customer data and manually delete obsolete records at least annually.
Required Actions (scaleup)
- Implement automated data lifecycle policies within databases to purge or archive records automatically based on predefined retention schedules.
Required Actions (enterprise)
- Deploy a centralized data governance platform that automatically enforces complex data retention and cryptographic shredding policies across all integrated systems and backups.
Under RA 10173, Rule IV, Section 19(d), personal data must not be retained longer than necessary and shall only be kept until its declared, specified, and legitimate purpose has been achieved.
Data can be retained until the specific purpose for collection is fulfilled, or as strictly necessary to establish, exercise, or defend legal claims, or to comply with other statutory obligations.
No, the Act does not mandate a universal fixed retention period (e.g., 5 years) for all data. Instead, periods must be determined based on the specific purpose of processing and applicable industry disposition schedules.
Secure disposal means discarding data in a manner that permanently prevents further processing, unauthorized access, or disclosure, ensuring the data cannot be reconstructed or retrieved.
Data must be deleted or disposed of when the original declared purpose is achieved, processing is terminated, the retention period expires, or upon a valid data subject request for erasure, barring legal retention mandates.
The policy must outline data categories, specific retention periods, legal justifications for retention, procedures for automated or manual deletion, and standardized methods for secure physical and digital destruction.
Companies should document their practices through a formal Data Retention Schedule within their Record of Processing Activities (RoPA) and maintain detailed logs or Certificates of Destruction for disposed records and hardware.
Acceptable methods include secure cryptographic wiping or degaussing for digital storage media, and cross-cut shredding or incineration for physical paper records, ensuring absolute irreversibility.
Organizations may lawfully extend the retention of personal data beyond its original purpose if it is strictly necessary to establish, exercise, or defend active legal claims, or if mandated by other specific laws.
Auditors should review the organization's Data Retention Schedule, automated database purging scripts, disposal logs, hardware decommissioning records, and third-party Certificates of Destruction.
Retention rules often fail when policies are written once but not maintained as systems, data categories, and legal obligations change. Tools like WatchDog Security's Policy Management can help maintain version-controlled retention policies, assign owners, track approvals, and record employee acceptance where retention procedures affect operational teams.
Secure disposal requires more than deleting records; organizations need proof that disposal happened, who approved it, and which systems or media were affected. Tools like WatchDog Security's Compliance Center can centralize retention schedules, disposal logs, certificates of destruction, and related evidence for audit review.
"Personal data shall not be retained longer than necessary. 1. Retention of personal data shall only be until the declared, specified and legitimate purpose has been achieved... 3. Personal data shall be disposed or discarded in a secure manner that would prevent further processing..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

