GDPR: how long may I store research data containing personal data?

The General Data Protection Regulation (GDPR) stipulates that personal data can't kept longer than necessary to achieve the purposes for which they're processed (see the ‘storage limitation’ principle).

Managing and administering your research data, including when it involves personal data, falls under Research Data Management (RDM). RDM includes all activities necessary to ensure that data in your research are secure and easy to find, understand, and (re)use. 

The RDM Policy framework of Ghent University requires that research data be kept for a minimum of 5 years after the work based on these data has been published and/or after the research project has ended unless otherwise stipulated either by legal, contractual, ethical or other specific obligations, or by requirements of external research funders.

In the context of scientific research, personal data may be kept longer, provided that appropriate and technical and organisational measures are taken to protect the rights and freedoms of the data subject.


More information

More tips

Translated tip

Last modified Nov. 15, 2023, 2:36 p.m.