You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Your company/organisation must also ensure that the data held is accurate and kept up-to-date.
Data kept for too long without an update
Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. You plan to keep the data for 20 years and you take no measures for updating the CVs. The storage period doesn’t seem proportionate to the purpose of finding employment for a person in the short to medium term. Moreover, the fact you don’t request updates to CVs at regular intervals renders some of the searches useless for the person seeking employment after a certain amount of time (for instance because that person has gained new qualifications).
- Article 5(1)(e) and Recital (39) of the GDPR