The General Data Protection Regulation states that personal data must be kept “no longer than is necessary for the purposes for which the personal data are processed”
[Art.5(1)(e)]. This imposes a time limit on how long your customers’ data can be kept. But how do you know “how long” is “longer than necessary”?
If your customers’ data is collected for the purpose of direct marketing, part of your justification can be that you should be allowed to store data for as long as the individual could be considered a customer. So, how long after opting in or completing a purchase can the individual be considered a customer?
Home shopping sector analysis suggests that 90% of the individuals who repurchase with the same brand do so within 50 months.
This provides a starting point to justify the length of time you keep data, but you also need to consider the category your business falls into. Some re-purchases are made quickly, some are long term buying decisions so occur less frequently. Here’s a rough guide to some categories that may be helpful
Ultimately, it’s your responsibility to decide how long to keep personal data. Part of the justification could be that you keep customers’ data for around the length of time mentioned above because there is a probability the customer will re-engage with your brand within that time. Therefore, you have a legitimate interest to use direct marketing to inform the customer about your products and offers. But, an average only tells part of the story.
While the category-level analysis provides a rough benchmark, ultimately your company has its own specific time-line. If you offer products in a category with a longer than average buying lifecycle, or if your customers are very loyal, then the gap between purchases might be longer than the average for your category and you would have a case for a longer data retention time.
The information above is not exhaustive and you should seek legal advice on your specific circumstances.