Comment by EGreg

Yeah, that's fair enough, and it is annoying that there is rarely a specific time set in regulation (or even case law which is broadly applicable). Most regulatory bodies will tend to say things like "as short as required/possible" for retention, which is clearly open to interpretation [0].

I would personally see 10 years as "a long time" in this kind of context (although that may be contextual depending on what your product does, obviously). If you can honestly claim/show good faith, that is usually acknowledged, but my point was rather how it would be seen out of the blue from an organisation that has been silent for 10 years (my personal first thought would be "why the hell have they still got my information?", but I am well aware that I'm not the average).

Genuinely, I don't mean to imply bad faith on your part, only to suggest the reactions it may receive, and how careful you should be with your messaging.

[0]: https://commission.europa.eu/law/law-topic/data-protection/r...

>Is there an actual regulation or case law showing what the cutoff time is du jure? I would be glad to respect it if there was.

I'm sorry but what sort of BS excuse is that ?

The whole point is that YOU are supposed to know: a) What data you have b) What you need it for

It is simply not possible for data protection law to spell out an exact cut-off time because there are so many permutations.

For example, if its for tax reasons then you need to keep it for the duration dictated by tax laws.

But if its email addresses you randomly harvested a decade ago, I think every man and his dog would agree that a decade is too long. Even more so if there is a material difference in permitted use of the harvested address.

P.S. There is no such thing as "good-faith things" in GDPR legislation. Please don't make shit up.