Comment by traceroute66

>Is there an actual regulation or case law showing what the cutoff time is du jure? I would be glad to respect it if there was.

I'm sorry but what sort of BS excuse is that ?

The whole point is that YOU are supposed to know: a) What data you have b) What you need it for

It is simply not possible for data protection law to spell out an exact cut-off time because there are so many permutations.

For example, if its for tax reasons then you need to keep it for the duration dictated by tax laws.

But if its email addresses you randomly harvested a decade ago, I think every man and his dog would agree that a decade is too long. Even more so if there is a material difference in permitted use of the harvested address.

P.S. There is no such thing as "good-faith things" in GDPR legislation. Please don't make shit up.