How long can personal data be retained according to the Data Privacy Act?

Personal data retention under the Data Privacy Act is strictly guided by the principle of purpose limitation, which states that personal data can only be retained for as long as necessary for the specific purposes for which the data was collected. This means that organizations must regularly review their data holdings and ensure that they do not retain personal information longer than needed to achieve the original intent of its collection.

Retaining personal data indefinitely, regardless of security measures, contradicts this principle since it could lead to unnecessary risks or breaches of privacy. Similarly, a blanket maximum retention period, such as ten years, does not align with the flexible and purpose-centric approach established by the Act. Finally, while data subjects have rights regarding their personal information, including requesting deletion, this does not dictate a retention period but rather highlights individual autonomy over personal data.