Privacy concepts & foundations
How Long Companies Are Allowed to Keep Your Data
There is no single universal expiry date for your personal data. A plain-language look at how retention works under UK GDPR — the storage limitation principle, why periods differ, and what you can ask about your own records.
In short
Under the UK GDPR there is no fixed number of years for how long companies can keep your data. The storage limitation principle says personal data should be kept only as long as needed for the purpose it was collected. Each organisation sets its own retention periods, justified by that purpose and any legal duty to keep records.
There is no single expiry date
One of the most common questions about personal data is also one of the most misunderstood: how long is a company actually allowed to keep it? Many people expect a single answer — a set number of years after which everything must be deleted. Under the UK GDPR there is no such universal rule. Instead, the law sets a principle and asks each organisation to apply it sensibly to its own situation.
That principle is called storage limitation. It says that personal data should be kept in a form that identifies you for no longer than is necessary for the purposes it was collected for. In everyday terms: an organisation should hold your data while it has a genuine reason to, and should not keep it indefinitely just in case. Once the purpose is gone and no other lawful reason to retain it remains, the data should be deleted or anonymised.
Because the test is tied to purpose rather than to a fixed clock, retention periods vary from one type of record to another and from one organisation to another. This is general information, not legal advice — the right way to think about a specific record is to ask what purpose justifies keeping it.
Why different records are kept for different lengths of time
The reason periods differ is that purposes differ. The data behind an order you placed may need to be kept for accounting and tax reasons long after the order itself is complete. A marketing list may only be justified while you remain a willing recipient. An account you have closed may be cleared quickly, while certain records tied to a legal obligation must be retained for a defined number of years. The organisation, acting as the data controller, is expected to set and document retention periods for each category of data it holds.
Several factors legitimately push retention longer or shorter. Some are about the organisation's own needs; others are imposed from outside by law. None of them give a company an open-ended licence to keep everything forever — each period should be justifiable against a real purpose.
The Information Commissioner's Office (ICO), the UK's data-protection regulator, expects organisations to have a retention schedule and to review data periodically rather than letting it pile up by default.
- The original purpose — data is kept while it is still needed for the reason it was collected.
- Legal or regulatory duties — some records (for example, certain financial or employment records) must be kept for a set period set by other laws.
- Ongoing relationship — an active account or contract usually justifies keeping the related data.
- Consent — where processing relies on your consent, withdrawing it removes that basis for keeping the data.
- Anonymisation — once data no longer identifies you, the storage limitation principle no longer applies to it in the same way.
What this means for your own data — and what you can ask
The practical upshot is reassuring: a company should be able to explain how long it keeps your data and why. You do not have to accept silence on the point. When you exercise your right of access, one of the things the response should include is the period for which your personal data will be stored, or, if that is not possible, the criteria used to decide it. So you can ask, and you are entitled to an answer.
If you believe an organisation is holding your data longer than it needs to, you have options that you control entirely yourself. You can ask about its retention period, you can question the justification, and in many cases you can ask for erasure of specific records — your right to erasure is closely linked to storage limitation, because data kept beyond its purpose is often data that no longer needs to be held at all. The organisation still applies its own assessment and any legal duties, so an outcome is never guaranteed in advance, but the questions are yours to raise.
Seeing your own footprint in one place makes these decisions easier, because you can tell what is held before deciding what to ask about. None of this is about anyone watching or removing data on your behalf — it is simply you, understanding what an organisation keeps and routing your own request on your own terms. If a request about retention or erasure is refused and you think that is wrong, you can ask the organisation to reconsider and you retain the right to complain to the Information Commissioner's Office (ICO). This is general information, not legal advice.
Frequently asked questions
Is there a maximum number of years a company can keep my data?
Not a single universal one under the UK GDPR. The storage limitation principle ties retention to purpose rather than to a fixed number of years. Some specific records do have minimum retention periods set by other laws — for example certain tax or employment records — but there is no blanket maximum that applies to all personal data.
Can I ask a company how long it will keep my data?
Yes. When you exercise your right of access, the response should tell you how long your personal data will be stored, or the criteria used to decide that period. You can also ask about retention directly. Knowing the answer helps you decide whether to question why data is still being held.
What happens to my data when I close an account?
It depends on the organisation's retention schedule. Some data may be deleted promptly once your account is closed, while other records may be kept for a defined period to meet a legal duty or to resolve disputes. A company should be able to explain what it keeps after closure and why.
If data is kept too long, can I ask for it to be deleted?
Often, yes. The right to erasure is closely connected to storage limitation: data held beyond the purpose it was collected for is frequently data that no longer needs to be kept. You can ask, the organisation applies its own assessment and any legal obligations, and you keep the right to complain if you disagree with the result.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Want to see what's held about you?
OSINTA helps you understand your own digital footprint and exercise your own rights — you stay in control of every step, including any request about retention.