How long can personal data be kept under GDPR?

Under the General Data Protection Regulation (GDPR), personal data can only be retained for as long as necessary for the purposes for which it was collected. This principle of data minimization ensures that organizations do not keep personal data longer than is required. Once the purpose for which the data was collected has been fulfilled, or if the individual withdraws their consent (where applicable), the data must be deleted or anonymized in order to comply with GDPR requirements.

This provision is critical in promoting responsible data handling practices and protecting individuals' privacy rights. It emphasizes that organizations must have a clear understanding of why they are collecting data and how long they need to retain it. Storing personal data indefinitely, or for arbitrary lengths of time, would contravene these principles and increase the risks associated with data breaches or misuse.