Principles relating to processing
How should the principle of lawfulness, correctness and transparency be met?
The principle implies full information to the data subject as regards data processing. The controller shall have to provide the data subject with information ex arts. 13-14, GDPR which shall include, amongst others, the purposes and the means of processing, the storage period, the legal basis for processing and the rights which can be exercised by the data subject in order to know the features of data processing and to object to processing or to ask for the restriction of processing or other information on data processing. An internal procedure which defines how to deal with such requests is fundamental to meet this principle (e.g: who replies, how to reply, what information to collect to reply, how to record the rights exercised by the data subject in the filing system).
What are the criteria to determine the storage limit of data?
The GDPR sets out that data identifying the data subject should be stored for no longer than is necessary for the purposes for which they have been collected and, therefore, are processed. The storage limit should be indicated in information ex arts. 13-14, GDPR and in the Records of processing activities. If it is not possible to precisely determine the storage limits (e.g.: one year), it is required to explain the criteria used to determine such period. Where there are laws and regulations which provide a specific storage period (e.g.: accounting data should be stored for 10 years in Italy), that period should be respected. Otherwise, the controller should decide the criteria applied to determine the storage periods, and document that decision in writing (in compliance with the principle of accountability). Therefore, the storage period depends on the features of processing, including the purposes pursued by the controller and the duration of processing to achieve such purposes.