Under GDPR, there is no fixed rule for how long personal data must be retained. Instead, organisations are required to define, justify, and document retention periods based on their lawful basis and business needs, in line with the storage limitation principle (GDPR Article 5¹). 

 

Data Controller vs Data Processor

For data stored in Ezekia:

  • Your organisation is the Data Controller
    You decide:
    • What personal data is stored
    • Why it is processed
    • How long it is retained

GDPR places responsibility for these decisions on the Data Controller (Articles 5¹ and 24³).

  • Ezekia acts as a Data Processor
      We process personal data solely on your instructions, as required under GDPR Article 28⁴, and provide the tools to support compliant data management.

Ezekia is a Data Controller only for its own operational data, such as customer accounts, billing, and support communications, not for the CRM data you manage in the platform.

 

Why Ezekia Is Not Prescriptive on Retention

GDPR is principles-based and interpreted slightly differently across jurisdictions. Retention requirements also depend on factors such as:

  • Business model
  • Client lifecycle
  • Regulatory obligations
  • Lawful basis for processing (GDPR Article 6²)

For this reason, Ezekia does not enforce a single retention period on client-controlled data. Imposing fixed rules could conflict with your responsibilities as a Data Controller under GDPR.

 

Your Responsibility as a Data Controller

As the Data Controller, your organisation is responsible for:

  • Defining appropriate retention periods
  • Documenting the rationale behind them
  • Reviewing inactive data
  • Deleting or anonymising data that is no longer required

Many organisations use 3-5 years of inactivity as a review point, but this is a guideline rather than a legal requirement. Data subjects may also request deletion at any time under the right to erasure/right to be forgotten requests (GDPR Article 17⁵).

 

How Ezekia Supports Compliance

While retention decisions sit with you, Ezekia provides:

  • Visibility of inactive or dormant records, defined internally via the Query Builder
  • Deletion functionality to support retention policies and erasure requests
  • Compliance notifications workflows including initial notifications and ongoing reminders to notify individuals that you hold their data
  • Subject access request (SAR) management (Right of access GDPR Article 15⁶)
  • Right to be forgotten requests (Right to erasure GDPR Article 17⁵)
  • Custom forms to support compliant data capture
  • Template Manager for consistent, controlled communications
  • Audit-friendly data handling (system notes on every record)
  • Flexibility to align with your internal policies and local regulations

 

Key Takeaway

Ezekia provides the tools and structure needed to help support GDPR compliance, while ensuring retention policy decisions remain where GDPR intends them to be: with the Data Controller.


References / Further Reading

  1. GDPR Article 5 - Storage limitation
    https://gdpr-info.eu/art-5-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/storage-limitation/
  2. GDPR Article 6 - Lawfulness of processing
    https://gdpr-info.eu/art-6-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/
  3. GDPR Article 24 - Responsibility of the controller
    https://gdpr-info.eu/art-24-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/
  4. GDPR Article 28 - Processor
    https://gdpr-info.eu/art-28-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/
  5. GDPR Article 17 - Right to erasure (Right to be forgotten)
    https://gdpr-info.eu/art-17-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/
  6. GDPR Article 15 - Right of access (Subject access requests)
    https://gdpr-info.eu/art-15-gdpr/
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/


Legal Notice

This article is provided for general informational purposes only and does not constitute legal advice. Data protection obligations may vary depending on jurisdiction and individual circumstances. Organisations should seek independent legal advice to ensure compliance with applicable data protection laws. The official EU GDPR text (EUR-Lex) is a single consolidated regulation, published as one legal instrument under: https://eur-lex.europa.eu/eli/reg/2016/679/oj