According to the GDPR, personal data must be stored in a form that permits identification of data subjects only for as long as is strictly necessary for the purposes of the processing. At the same time, there are many legal regulations that make it necessary to keep the data for a long time. This storage limitation is a “personal data processing principle“. Violations of these regulations fall under the GDPR 83 (5) into the category with the highest penalties.
It is therefore important to specify for all processing operations how long the data will be retained and how deletion or anonymization of the data can be ensured.
Longer storage is permitted, subject to the implementation of appropriate technical and organizational measures, for archiving purposes exclusively in the public interest, for scientific and historical research purposes or for statistical purposes.
For Austria, the following retention obligations are relevant, among others:
I Accounting, tax and customs law:
- Obligation to keep records in accordance with tax law
§ 132 Abs 1 BAO
: 7years beyond that as long as they are of importance for the tax authority in pending proceedings) - Obligation under company law to keep records in accordance with
§§ 190, 212 UGB
: 7years - Obligations to keep records under value added tax law
according to § 18 Abs 10 UStG
(special provision for real estate): 22 years - Obligation to keep records under value added tax law in accordance with
§ 18 Abs 2 3. subparagraph
: 7 years - Records according to § 23 para. 2 Customs Law Implementation Act: 5years
II Contracting:
- Warranty according to § 933 ABGB: 2 years (movable objects), 3years (immovable objects)
- Purchase price claim for movable property according to § 1062 iVm § 1486 ABGB: 3years
- Purchase price claim for immovable property (e contrario § 1486 ABGB): 30 years
- Claims of rent and leasehold interest according to
§ 1486 ABGB
: 3years - Claims arising from a contract for work and services pursuant to
§ 1486
ABGB (if the service was rendered within the scope of a commercial or other business operation): 3 years - General damages according to
§ 1489 ABGB
(compensation claims): 3years (if damage and injuring party are known) /otherwise 30 years (concerns in particular also accidents at work!) - Liability claims according to § 13 PHG: 10 years
III Labor Relations:
- Entitlement to the issue of a certificate of employment according to § 1163 iVm § 1478 ABGB: 30 years
- Employment relationship according to ABGB (subsidiary to the Salaried Employees Act): Claims of the employee and claims of the employer for remuneration, advance payment and all other claims arising from the employment relationship according to § 1153 ff iVm 1486 ABGB: 3 years
- Employer’s rights of recourse against employee based on compensation for damages arising from employee liability pursuant to § 6 DHG in conjunction with § 1489 ABGB: 3 years
- Accounting-related employee data: same as accounting.
- Liability for severance payment claims and company pensions after transfer of business according to § 6 para. 2 AVRAG: 5 years.
- Limitation of social security contributions according to
§ 68 ASVG
: 3resp. 5 years - Limitation of claims for payment according to § 1486 Z 5 ABGB: 3years
- Time limit for asserting general claims under the GlbG ((§§ 15 para. 1, 29 para. 1: e.g. differential payment, compensation for personal impairment, damages, inclusion in company training and further training, discrimination in other working conditions): 3years
- Records and reports on occupational accidents according to § 16 ASchG: 5years
IV Industry-specific Deadlines:
- Money laundering regulations according to § 365y GewO, § 51 BiBuG, § 21 Financial Market Money Laundering Act (FM-GWG): 5years
- Correspondence and business records of credit agencies according to § 152 GewO: 7years
- Waste records according to § 17 AWG iVm § 3 Abfallnachweisverordnung (ANV): 7 years
- Storage of consignment bills according to § 18 Abs 1 AWG 2002 iVm §8Abfallnachweisverordnung: 7years
- Retention obligations according to Art 36 of EU Regulation 1907/2006 (REACH Regulation): min. 10 years
- Retention of medical records and documentation in accordance with. § 51 para. 3 ÄrzteG: 10 years
- Retention of medical records in hospitals pursuant to. § 10 para. 1 Z 3 KaKuG: 30 years; X-rays, video recordings and other components of medical records whose probative value is not 30 years, as well as for outpatient treatment: 10 years
- Treatment documentation of medical masseurs and therapeutic masseurs according to § 3MMHmG: 10 years
- Retention of the budget book as well as the receipts for personal care workers according to § 160 GewO: 2years
- Guest directory sheet collections according to § 19 para. 5 Registration law-Implementing Regulation: 7 years
- Weekly report sheet according to § 4 Abs 4 Wochenberichtsblatt-Verordnung (training of young people to become drivers): 1year after termination of the apprenticeship relationship
- Storage of driver logbooks, driving times, etc. in accordance with §§ 17 Para. 5, 17b AZG: 24 months
- Retention of tachograph record sheets or data recorded by the recording equipment according to § 103 para. 4 KFG: 2 years
- Retention of working time records of train personnel according to § 18k AZG: 1 year
- Retention obligation for logbooks to prove the use of trial license plates according to § 45 para. 6 KFG: 3 years
- Storage obligations regarding speedometers, tachographs and odometers according to § 24 KFG: 2 years
- Obligation to keep the type certificate list according to § 30 KFG: 10 years
- Records of the training course of each learner driver after § 64b para. 8 and 8a Motor Vehicle Act Implementing Ordinance (KDV): 3 years
- Retention obligations of the temporary employment agency regarding temporary workers according to § 13 AÜG: 5years
You can find further deadlines under: WKO DSGVO storage and retention periods.
This list was updated on 15.1.2018. With this list we want to help you to find the relevant legal norms concerning the retention obligations. However, we cannot guarantee that the list is complete or accurate. We have set the links to the RIS so that wherever possible the latest version of the relevant law is displayed.
We are working on a list for Germany and UK. If you found errors or have information to complete this list, please let us know.
The EasyGDPR Online Assistant for the GDPR documentation contains this list. You can document the storage period and the legal reasons for the selected storage period with one mouse click.