GDPR Data Retention Periods: A Practical Cheatsheet for Dutch Businesses
Steven | TrustYourWebsite · 6 April 2026
The GDPR's storage limitation principle (Article 5(1)(e)) is simple in theory: keep personal data only as long as necessary. In practice, "necessary" depends on the purpose, the type of data, and other legal obligations that may require you to keep records longer than you otherwise would.
The Netherlands adds its own layer: Dutch tax law (Belastingwet), employment law (Burgerlijk Wetboek), and sector-specific regulations all set their own mandatory retention periods that interact with GDPR rules.
The Golden Rule
You cannot keep personal data indefinitely just because it might be useful someday. The GDPR requires:
- A defined purpose for collecting the data
- A defined retention period linked to that purpose
- Actual deletion or anonymisation when the period expires
A privacy policy that says "we keep your data as long as necessary" without specifying a period does not meet the requirement. You must state actual timeframes.
Retention Periods by Category
Financial and Tax Records
| Data type | Minimum retention | Basis |
|---|---|---|
| Invoices and financial records | 7 years | Dutch tax law (AWR Art. 52) |
| VAT records | 7 years | AWR Art. 52 |
| Payroll records | 7 years | AWR Art. 52 |
| Annual accounts | 10 years | BW Book 2, Art. 394 |
Financial records have a minimum — you must keep them. The GDPR's purpose limitation means you cannot use financial records for marketing or other unrelated purposes after the primary accounting purpose is served.
Customer Relationship Data
| Data type | Recommended retention | Notes |
|---|---|---|
| Active customer account | Duration of relationship + 2 years | For dispute resolution and warranty claims |
| Inactive customer account | 2 years after last activity | Send a re-engagement email and delete if no response |
| Purchase history | 2 years after last purchase | Longer only if required for warranty or compliance |
| Customer service records | 1 year after case closed | May extend if dispute is ongoing |
| Warranty claims | Duration of warranty period | Legal obligation if warranty is given |
Website and Analytics Data
| Data type | Recommended retention | Notes |
|---|---|---|
| Google Analytics session data | 14 months (GA4 default) | Set in GA4 admin settings |
| Server access logs | 3–6 months | For security investigation only |
| IP addresses in logs | 30–90 days | After that, anonymise or delete |
| Cookie consent records | 3 years | Proof of consent may be needed if challenged |
| Heatmap / session recording | 30–90 days | Purpose-limited to UX analysis |
Marketing and Email
| Data type | Recommended retention | Notes |
|---|---|---|
| Newsletter subscriber list | Duration of subscription + 2 years | Delete promptly on unsubscribe |
| Email campaign analytics | 2 years | Open/click rates for business reporting |
| Marketing consent records | 3 years after consent given | Evidence of lawful basis |
| Abandoned cart emails | 14–30 days maximum | Very short-term follow-up only |
Dutch direct marketing via email requires either prior consent or existing customer relationship (soft opt-in). Either way, the email address must be deleted promptly on unsubscribe.
HR and Employment Records
| Data type | Minimum/maximum retention | Basis |
|---|---|---|
| Employment contracts | 7 years after employment ends | AWR + BW |
| Payslips | 5 years | AWR |
| Sick leave records | 2 years after reporting | Arbo-wet |
| Recruitment data (rejected applicants) | 4 weeks after rejection | Unless candidate consents to longer |
| Reference checks | 4 weeks after recruitment decision | Same as above |
| CCTV footage | Maximum 4 weeks | AP guideline on camera surveillance |
| Access card logs | 3–6 months | For security purposes only |
For rejected job applicants, 4 weeks is the standard. You may ask candidates to consent to keeping their CV for up to 1 year for future roles, but this consent must be specific and freely given.
Contact Forms and Enquiries
| Data type | Recommended retention | Notes |
|---|---|---|
| General enquiry | 1 year after last contact | Or delete once resolved, whichever is sooner |
| Sales enquiry (no conversion) | 1 year | Delete if no contract results |
| Complaint or dispute | Until resolved + 1 year | May extend if legal proceedings are possible |
| Support ticket | 1 year after ticket closed | Longer if related to a product warranty |
Health and Special Category Data
Special category data (Article 9 GDPR) — including health data, dietary requirements, disabilities, and religious or political beliefs — requires a higher standard of justification to retain.
| Data type | Recommended retention | Notes |
|---|---|---|
| Dietary/allergy data (hospitality) | Until after the visit | Delete immediately after the purpose is served |
| Medical certificates (HR) | Duration of employment + 2 years | No longer |
| Biometric access data | Duration of access need | Delete when access is no longer required |
Dutch-Specific Retention Requirements
Fiscal Unity: The 7-Year Rule
The Dutch Tax and Customs Administration (Belastingdienst) requires businesses to keep all records relevant to their tax position for 7 years from the end of the financial year in which they were created. This applies to:
- Invoices (both sent and received)
- Bank statements
- Stock records
- Wage administration
For real estate records: 10 years.
Consumer Dispute Records
The ACM (Autoriteit Consument & Markt) recommends retaining records relevant to consumer complaints until the statutory limitation period expires. Most consumer claims have a limitation period of 2 years from delivery, or up to 5 years for personal injury claims.
How to Implement Retention Periods
Step 1: Map your data
List every type of personal data your business collects. Include website analytics, customer records, HR data, financial records, and any third-party tools that receive data.
Step 2: Define a retention period for each
Use the table above as a starting point. Where law dictates a minimum (tax records), honour that minimum. Where there is no legal minimum, define the shortest period that serves your business need.
Step 3: Document it
Add retention periods to:
- Your processing register (Article 30 GDPR)
- Your privacy policy (visible to website visitors)
- Internal data management procedures
Step 4: Automate deletion where possible
Manual deletion processes fail. Most CRM, email, and analytics tools have automatic deletion or anonymisation settings. Configure them. Google Analytics 4 defaults to 14 months — confirm this is set in your account.
Step 5: Review annually
Retention periods change as your business changes. Review your data map and retention schedules each year, or when you add a new service or tool that processes personal data.
What Happens If You Keep Data Too Long?
The AP can fine businesses for violating the storage limitation principle. In practice, the AP usually discovers this violation in the context of a broader investigation — a data breach, a complaint, or a routine audit — rather than proactively auditing retention periods in isolation.
But the reputational damage from a breach of data that should have been deleted long ago is real. If old customer data is stolen or leaked, and it turns out you had no business reason to still hold it, the AP will treat this as an aggravating factor.
To see what personal data your website is currently collecting, scan your website free.
This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site freeWebsite Guides
Cookie Banner Dark Patterns: What They Are and Why They're Illegal
The EDPB taxonomy of cookie banner dark patterns: 12 manipulative design techniques that make consent invalid under GDPR. With examples and what to use instead.
Cookie Banner Requirements in the Netherlands (2026)
What must a Dutch cookie banner look like to be compliant? The AP's 9 rules, what counts as valid consent, and what gets businesses fined.
Data Breach Reporting in the Netherlands: The 72-Hour Decision Tree
Must you report a data breach to the Dutch DPA (AP)? A 72-hour decision tree for small businesses: what counts as a reportable breach, what to include, and deadlines.