GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
- Example of employee data: Statutory retention
- Employment permit records: 5 years or duration
- Tax records: 6 years
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and the data quality principles.
We have set out a table below for employers outlining their obligations to retain employment data as per certain employment statutes. We recommend employers use these statutory retention periods as a guide for the minimum period of time the relevant employee data should be kept.
In most cases, the most relevant criteria will be how long the records may be needed to defend against any potential claims.
Personal injuries claims
For example, in the event of a potential personal injuries claim, relevant records for the purpose of defending such a claim would ideally be available for a three-year period. A potential breach-of-contract claim would require retaining the relevant records for seven years from the date of breach.
If the claim is specifically threatened or issued, then the employer may hold the records for longer, as is necessary.
| Example of employee data | Statutory retention period |
| Payslips and records relating to wages | 3 years |
| Weekly working hours, name and address of employee, PPS numbers, and statement of duties | 3 years |
| Records relating to employees under 18 years | 3 years |
| Records relating to collective redundancies | 3 years |
| Records relating to parental leave | 8 years |
| Tax records | 6 years |
| Records relating to workplace accidents | 10 years |
| Employment permit records | 5 years or duration of employment |