Skip to content

Retention periods

After participating in this component, participants can assess whether the retention periods that apply to the various processing of personal data meet the requirements of the GDPR. They are also able to formulate the requirements set by privacy legislation for the storage and destruction of data. This is also important in the context of tendering procedures for the purchase or development of information systems that must comply with the aforementioned principles of privacy by design and default. The participants can also assess whether the procedures and measures are sufficient to ensure that personal data is not kept longer than necessary for the purposes for which they are collected and processed and therefore destroyed in time.

Teacher: Robert-Jan Trüg

Start: 3 May 2023

Duration: part of the day (10:00 to 14:00)

Investment: €500, – excl. VAT


Module C6 consists of one component, namely: how to properly manage the storage and destruction of personal data. The module is intended for employees working within the government as well as within the business community or other types of institutions and organizations. Since the government provides the most guidelines in the field of storage and destruction, many rules and procedures that are applied within the government will be cited as practice with the aim that employees who do not work within the government can also draw from this.

The Wbp is clear: Personal data are no longer kept in a form that makes it possible to identify the data subject than is necessary for the realization of the purposes for which they are collected or subsequently processed (article 10 paragraph 1 Wbp). How is destruction then arranged? What is “no longer”? What are the retention periods? According to Article 10 paragraph 2 of the Wbp, the data may be kept for longer for historical, statistical or scientific purposes.

In the government, the storage of archive documents or archive files has been laid down for some time or forever in the selection lists pursuant to the Archives Act. The business community must determine the retention period of the archive documents itself. Unless the Archives Act or another law applies, no retention periods are attached to the personal data in an archive. That data must therefore be deleted as soon as it has lost its importance for the archive destination. It is also possible to decide to destroy the data instead of including them in an archive and if they are included in an archive, they must also be stored and therefore managed. What do you have to do for this and how do you organize it?

Obligations associated with this part

To fulfill the obligations under this section, you must:

  • Make a diagnostic test, in preparation for the subject matter to be followed;
  • Take a diagnostic test after the self-study, which must be completed with a pass. This is a condition for participation in the workshop;
  • To be present during the workshop;
  • A final exam with a passing mark.

Study load

The self-study takes about 16 hours, the workshop takes about 4 hours and the final exam takes about 2 hours.

Investment and sign up

After registration you will have direct access to the course in our learning environment. The total costs for the module are €500 (excluding VAT and per person). Participants of the Center for Information Security and Privacy Protection (CIP) and the The Hague Security Delta receive a 15% discount on the entire training offer. Contact our service desk.

Private individuals and government institutions are exempt from VAT.


Fill in the form below and we will contact you to discuss the possibilities. Our training courses are always tailor-made. We are happy to take your specific wishes into account.

    Do you have questions or need an appointment?

    Feel free to contact us at +31 (0) 70 392 22 09 or Make an appointment with one of our training advisors.