Retention and Disposal

Plain English Translation

Personal data must not be kept longer than is necessary to fulfil the purpose for which it was collected. Once that purpose has been achieved, or if no longer legally required, the data must be securely disposed of in a manner that prevents further processing. Data cannot be retained indefinitely on the basis of a vague or future purpose that has not yet been defined.

Executive Takeaway

Organizations must strictly limit the retention of personal data to its necessary lifespan and ensure it is securely destroyed when no longer needed.

ImpactHigh
ComplexityMedium

Why This Matters

  • Minimizes regulatory risk and exposure to severe administrative fines under RA 10173 by eliminating unauthorized data hoarding.
  • Significantly reduces the blast radius of potential data breaches by strictly limiting the volume of stored sensitive information.
  • Builds customer trust by proving that personal data is not held in perpetuity without a valid, transparent business reason.

What “Good” Looks Like

  • A formalized and consistently enforced data retention schedule covering all operational data categories and systems, supported by tools like WatchDog Security's Asset Inventory to keep data-store and ownership mapping current.
  • Automated scripts or established operational procedures that securely delete or anonymize data immediately once retention periods expire.
  • Verifiable records of destruction, such as certificates of secure disposal for hardware, servers, and physical files, with tools like WatchDog Security's Compliance Center helping organize evidence for audit review.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, Rule IV, Section 19(d), personal data must not be retained longer than necessary and shall only be kept until its declared, specified, and legitimate purpose has been achieved.

Data can be retained until the specific purpose for collection is fulfilled, or as strictly necessary to establish, exercise, or defend legal claims, or to comply with other statutory obligations.

No, the Act does not mandate a universal fixed retention period (e.g., 5 years) for all data. Instead, periods must be determined based on the specific purpose of processing and applicable industry disposition schedules.

Secure disposal means discarding data in a manner that permanently prevents further processing, unauthorized access, or disclosure, ensuring the data cannot be reconstructed or retrieved.

Data must be deleted or disposed of when the original declared purpose is achieved, processing is terminated, the retention period expires, or upon a valid data subject request for erasure, barring legal retention mandates.

The policy must outline data categories, specific retention periods, legal justifications for retention, procedures for automated or manual deletion, and standardized methods for secure physical and digital destruction.

Companies should document their practices through a formal Data Retention Schedule within their Record of Processing Activities (RoPA) and maintain detailed logs or Certificates of Destruction for disposed records and hardware.

Acceptable methods include secure cryptographic wiping or degaussing for digital storage media, and cross-cut shredding or incineration for physical paper records, ensuring absolute irreversibility.

Organizations may lawfully extend the retention of personal data beyond its original purpose if it is strictly necessary to establish, exercise, or defend active legal claims, or if mandated by other specific laws.

Auditors should review the organization's Data Retention Schedule, automated database purging scripts, disposal logs, hardware decommissioning records, and third-party Certificates of Destruction.

Retention rules often fail when policies are written once but not maintained as systems, data categories, and legal obligations change. Tools like WatchDog Security's Policy Management can help maintain version-controlled retention policies, assign owners, track approvals, and record employee acceptance where retention procedures affect operational teams.

Secure disposal requires more than deleting records; organizations need proof that disposal happened, who approved it, and which systems or media were affected. Tools like WatchDog Security's Compliance Center can centralize retention schedules, disposal logs, certificates of destruction, and related evidence for audit review.

PHILIPPINES-DPA Rule IV, Section 19(d)

"Personal data shall not be retained longer than necessary. 1. Retention of personal data shall only be until the declared, specified and legitimate purpose has been achieved... 3. Personal data shall be disposed or discarded in a secure manner that would prevent further processing..."

PHILIPPINES-DPA Rule IV, Section 19(e)(3)

"Personal data can not be retained in perpetuity in contemplation of a possible future use still to be determined."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content SpecialistInitial publication