Does GDPR override a company's own retention schedule for keeping employee or customer data?
The short answer is that GDPR does not simply “override” a retention schedule, and a retention schedule does not override GDPR. They are meant to work together. A well-built schedule reflects the law; GDPR is one of the legal inputs that shapes how long you may keep personal data about employees and customers.
What GDPR actually requires
GDPR (the EU General Data Protection Regulation) applies to personal data of individuals in the EU and EEA, and to many organizations outside the EU that handle that data. Two of its principles matter most for retention:
- Storage limitation — personal data should not be kept in an identifiable form for longer than is necessary for the purpose it was collected.
- Data minimization — you should hold only the personal data you actually need.
In practice this means GDPR sets an upper bound and a justification test. You must be able to explain why you still hold someone’s data and when you will dispose of it.
How it interacts with a retention schedule
A retention schedule is your organization’s documented decision about how long each record series is kept and what happens at the end. GDPR does not replace it — it informs it. Where they appear to conflict, work through this order:
- A specific legal retention duty wins. If another law requires you to keep certain records for a set period (tax, payroll, employment, accident records), GDPR generally recognizes that obligation as a lawful basis to retain.
- Where no law mandates retention, GDPR’s storage-limitation principle governs. You should set the shortest defensible period tied to a documented purpose, not keep data indefinitely “just in case.”
- At end of retention, dispose or anonymize so personal data is no longer identifiable.
Practical takeaways
- Treat GDPR as a driver of your schedule, alongside other statutes — not a separate, conflicting rulebook.
- Document the purpose and legal basis behind each retention period.
- Build defensible disposition into the schedule so data does not linger past its justification.
Different jurisdictions and sectors carry their own retention laws, so confirm requirements with qualified legal counsel for your situation. For related guidance, see the FOIA and public records hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Does GDPR override a company's own retention schedule for keeping employee or customer data?. Records Management University. https://www.recordsmgmt.org/questions/does-gdpr-override-a-companys-own-records-retention-schedule/
MLA
RM University Editorial. "Does GDPR override a company's own retention schedule for keeping employee or customer data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/does-gdpr-override-a-companys-own-records-retention-schedule/.
Related questions
- Am I supposed to get an acknowledgement letter after I file a FOIA request, and what should it contain?
- Are emails on a city council member's personal phone subject to state public records law?
- Are police body-camera footage and incident reports public records under state law?
- Are state university student disciplinary records subject to public records requests, or does FERPA block them?
- Can a business stop an agency from releasing its confidential information under FOIA (reverse FOIA)?