Comment by kolektiv

Yeah, that's fair enough, and it is annoying that there is rarely a specific time set in regulation (or even case law which is broadly applicable). Most regulatory bodies will tend to say things like "as short as required/possible" for retention, which is clearly open to interpretation [0].

I would personally see 10 years as "a long time" in this kind of context (although that may be contextual depending on what your product does, obviously). If you can honestly claim/show good faith, that is usually acknowledged, but my point was rather how it would be seen out of the blue from an organisation that has been silent for 10 years (my personal first thought would be "why the hell have they still got my information?", but I am well aware that I'm not the average).

Genuinely, I don't mean to imply bad faith on your part, only to suggest the reactions it may receive, and how careful you should be with your messaging.

[0]: https://commission.europa.eu/law/law-topic/data-protection/r...