Audit modelGDPR Retention Period Analysis Grid
GDPRCNIL
Analysis grid to identify the time periods applicable to data processing, in accordance with the guide on retention periods established by the CNIL.
1. Context
1.1. Does the document, file or application contain personal data?
1.2. What treatment is involved?
1.3. What is the objective (purpose) of this processing?
1.4. What are the elements that can be useful in determining the duration?
E.g.: presence of sensitive data, applicable legal or regulatory environment, etc.
1.5. Does the data fall under the regime of public archives?
That is, archives produced by a public structure or a private structure in charge of a public service mission?
2. Common use
2.1. Does a text (legislative or regulatory) impose a duration for this treatment?
2.2. What is the scope of this obligation?
2.3. What personal data is affected by this obligation?
2.4. How long should they be kept in the active base?
2.5. Is it a minimum or maximum duration?
2.6. Is it a deletion or retention obligation?
2.7. How long is the data needed to achieve the stated objective (purpose)?
2.8. Are there any recommendations from the CNIL (see duration guidelines) or sectoral recommendations for this processing?
3. Intermediate archiving
3.1. At the end of the current period of use, is there a legislative or regulatory requirement to archive this data?
3.2. What personal data or categories of data are affected by this archiving requirement?
3.3. What is the duration of the text?
3.4. Is the data of administrative or legal interest?
For example: protect yourself from specific litigation
3.5. You must securely anonymize or destroy all data.
However, for public archives: after the authorization of the person in charge of the scientific and technical control over the archives
3.6. What is the duration to be retained according to the objective of this archiving and the modalities of the treatment?
3.7. What data is relevant to the purpose of the archive?
3.8. During this period, who will be specifically authorized to access the data stored in the intermediate database?
4. Final archiving
4.1. At the end of the intermediate archiving, are the data of such interest that they should not be destroyed in accordance with the provisions of the heritage code?
4.2. What data is affected by this permanent archiving?
4.3. You must contact the archive service territorially competent for the compulsory deposit.
4.4. It is necessary to proceed to the destruction of the data after obtaining the authorization of the person in charge of the scientific and technical control of the public archives.
Created at:01/01/2023
Updated on :07/29/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
author :