All Docs
FeaturesCalmony Sanctions MonitorUpdated March 12, 2026

GDPR Data Retention Enforcement (GDPR-11)

GDPR Data Retention Enforcement (GDPR-11)

Overview

GDPR Article 5(1)(e) — the storage limitation principle — requires that personal data is not retained for longer than is necessary for the purpose for which it was collected. This page documents the compliance finding raised under control GDPR-11, the gap identified, and the planned remediation approach for the platform.

The Problem

Retention periods for the following data categories are defined in the platform's privacy documentation:

Data CategoryDocumented Retention Period
Usage analytics2 years
Cookie consent recordsDuration of the consent period

However, no automated mechanism exists to enforce these retention periods. Without enforcement, data will accumulate indefinitely unless users manually trigger deletion. This represents a gap against GDPR Art. 5(1)(e) and poses regulatory risk.

Planned Remediation

The remediation for GDPR-11 is a scheduled data retention enforcement job that runs on a monthly cadence, implemented as either a GitHub Actions workflow or a Vercel cron function.

Job Responsibilities

  1. Delete or anonymise usage analytics that are older than 2 years.
  2. Purge cookie consent records that have exceeded their consent period.
  3. Identify and surface records that are approaching their retention limit, so the compliance team can review them before automated action is taken.

Implementation Principles

  • The job will reuse the existing soft-delete and anonymisation logic already present in the GDPR delete endpoint, ensuring consistent data handling across manual and automated flows.
  • All purge actions will be logged for auditability.
  • The job should be idempotent — safe to run multiple times without unintended side effects.

Current Status

⚠️ Finding raised — remediation not yet implemented.
Until the automated job is in place, operators should manually review data retention using the GDPR delete endpoint.

Related

  • GDPR Article 5(1)(e) — Storage Limitation Principle
  • GDPR-11 Compliance Control
  • Internal: GDPR Delete Endpoint (soft-delete / anonymisation logic)