Javascript is required
logo-dastralogo-dastra

Audit modelGDPR Retention Period Analysis Grid

GDPRCNIL
Analysis grid to identify the time periods applicable to data processing, in accordance with the guide on retention periods established by the CNIL.

1. Context

1.1. Does the document, file or application contain personal data?
1.2. What treatment is involved?
1.3. What is the objective (purpose) of this processing?
1.4. What are the elements that can be useful in determining the duration?

E.g.: presence of sensitive data, applicable legal or regulatory environment, etc.

1.5. Does the data fall under the regime of public archives?

That is, archives produced by a public structure or a private structure in charge of a public service mission?

2. Common use

2.1. Does a text (legislative or regulatory) impose a duration for this treatment?
2.2. What is the scope of this obligation?
2.3. What personal data is affected by this obligation?
2.4. How long should they be kept in the active base?
2.5. Is it a minimum or maximum duration?
2.6. Is it a deletion or retention obligation?
2.7. How long is the data needed to achieve the stated objective (purpose)?
2.8. Are there any recommendations from the CNIL (see duration guidelines) or sectoral recommendations for this processing?

3. Intermediate archiving

3.1. At the end of the current period of use, is there a legislative or regulatory requirement to archive this data?
3.2. What personal data or categories of data are affected by this archiving requirement?
3.3. What is the duration of the text?
3.4. Is the data of administrative or legal interest?

For example: protect yourself from specific litigation

3.5. You must securely anonymize or destroy all data.

However, for public archives: after the authorization of the person in charge of the scientific and technical control over the archives

3.6. What is the duration to be retained according to the objective of this archiving and the modalities of the treatment?
3.7. What data is relevant to the purpose of the archive?
3.8. During this period, who will be specifically authorized to access the data stored in the intermediate database?

4. Final archiving

4.1. At the end of the intermediate archiving, are the data of such interest that they should not be destroyed in accordance with the provisions of the heritage code?
4.2. What data is affected by this permanent archiving?
4.3. You must contact the archive service territorially competent for the compulsory deposit.
4.4. It is necessary to proceed to the destruction of the data after obtaining the authorization of the person in charge of the scientific and technical control of the public archives.
Created at:01/01/2023

Updated on :07/29/2024

License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale

author :
Dastro Naute
Dastro Naute



Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.