Can GDPR storage limitation requirements force you to delete records you are legally required to keep elsewhere?
Short answer
Generally, no. The GDPR’s storage limitation principle does not override a separate, valid legal obligation that requires you to keep records. Where the law independently compels retention, that obligation supplies the lawful basis to continue holding the data for as long as the requirement applies.
Why storage limitation does not force deletion
Storage limitation says personal data should be kept in identifiable form no longer than is necessary for the purposes it was collected for. But “necessary” is judged against legitimate, lawful purposes — and complying with a legal obligation is one of them. If a statute, regulation, or enforceable requirement says you must retain a record (for tax, employment, financial, litigation, or sector-specific reasons), that retention is necessary, not excessive.
The same logic answers a related question many records professionals face: a data subject’s “right to erasure” is not absolute. Erasure requests can be refused to the extent the data must be kept to satisfy a legal obligation or to establish, exercise, or defend legal claims.
The practical tension to manage
The real challenge is rarely a true conflict. It is usually about scope and discipline:
- Different data, different rules. A privacy regime may require deleting one dataset while another law requires keeping a related record. Map each obligation to the specific data it touches.
- Minimize, don’t just keep. Where you retain for a legal duty, keep only what that duty requires. Consider segregating, restricting access to, or pseudonymizing the retained data so it is no longer used for the original purpose.
- Document the basis. Your retention schedule should name the authority for each retention period and the trigger for disposition once it expires.
When a real conflict exists
Genuine cross-border conflicts (for example, a foreign retention demand versus an EU deletion right) do happen and can be legally complex. Treat these as legal-review matters, not routine disposition decisions, and resolve them with counsel rather than by defaulting to deletion.
A well-built retention schedule that reconciles privacy, legal, and operational requirements is the core control here. For more, see the retention and disposition topic hub.
Sources & further reading
Authoritative government and non-profit references.
How to cite this page
APA
RM University Editorial. (2026). Can GDPR storage limitation requirements force you to delete records you are legally required to keep elsewhere?. Records Management University. https://www.recordsmgmt.org/questions/can-gdpr-storage-limitation-force-deletion-of-required-records/
MLA
RM University Editorial. "Can GDPR storage limitation requirements force you to delete records you are legally required to keep elsewhere?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/can-gdpr-storage-limitation-force-deletion-of-required-records/.
Related questions
- Can a company be fined for keeping records longer than the law requires?
- Can any manager authorize destroying records, or does it have to be someone specific?
- Can deleting emails too soon be considered illegal spoliation of evidence?
- Can different copies of the same document have different retention periods?
- Can I just delete old records whenever I need to free up storage space?