What Is a Retention Schedule?

Retention schedule - definition

A retention schedule is a formal list of retention periods and rules for deletion or archiving applied to defined categories of information. In the context of personal data management and video or image materials, it serves as documented proof of compliance with the GDPR storage limitation principle under Article 5(1)(e) as well as the data minimisation principle. This definition is well established in records and information management standards, including ISO 15489-1:2016 and the privacy extension ISO/IEC 27701:2019, which support documenting retention criteria, responsible data controllers, and enforcement mechanisms.

When applied to the anonymisation of images and video recordings, a retention schedule describes the full lifecycle of source files, anonymised versions (e.g. after blurring faces and vehicle licence plates), technical metadata, intermediate files, and processing logs. It specifies when raw footage must be permanently deleted, when anonymised material may be retained, and how to demonstrate the irreversibility of anonymisation. EDPB Guidelines 3/2019 on video devices explicitly link data retention to purpose limitation and the storage limitation principle, without setting universal timeframes - the retention period must be derived from a documented assessment and a valid legal basis.

The role of a retention schedule in image and video anonymisation

In practice, Data Protection Officers (DPOs) and security teams implement a retention schedule as part of the end-to-end processing chain. This includes capturing footage, transferring it to an on-premise environment, detecting and blurring faces or licence plates using deep learning models, quality validation, export, and final deletion. Where dedicated AI models are trained for face or licence plate detection, the retention schedule must also cover training and validation datasets, including rules for their acquisition, storage, and secure destruction after model training.

In on-premise anonymisation tools, the retention schedule clearly distinguishes between source material and anonymised output. In many cases, anonymised versions may be stored for a longer period, provided the process meets anonymisation criteria defined in Article 29 Working Party Opinion WP216 and includes a documented re-identification risk assessment.

Retention technologies and implementation

Implementing retention in image and video processing requires consistent technical controls. Beyond formal policies and records of processing activities, automated retention enforcement and secure data destruction after expiry are critical. Below are the most common components used in on-premise environments.

• Storage layer: WORM partitions, lifecycle policies in S3-compatible object storage, and differentiated storage classes for raw and anonymised data.
• Databases and metadata: TTL columns, reconciliation cron jobs, and irreversible hashes used as integrity proofs.
• Deletion and sanitisation: Cryptographic erasure, overwriting compliant with NIST SP 800-88 Rev. 1, and audit logs linked to case identifiers.
• Orchestration: Workflows that bind processing purpose to deletion deadlines, including exception states and legal holds.

When using tools for blurring faces and licence plates, it should be noted that automated detection typically applies only to these two object classes. Other elements of an image may require manual marking, which in turn creates separate retention cycles for working files and editing masks. The absence of real-time processing simplifies retention enforcement, as operations are batch-based and fully logged within the administrator’s controlled environment.

Key retention parameters and metrics

To make a retention schedule measurable and auditable, it is advisable to define parameters that can be technically monitored. The table below outlines typical attributes and their verification methods.

Storage capacity planning can be based on a simple estimation model, where key variables include data inflow rate and retention period.

estimated_capacity = (MB_per_day_ingest × retention_days × replication_factor) ÷ compression_ratio

These parameters support the design of storage class policies and thresholds for automated archiving or deletion, without imposing arbitrary retention periods.

Legal challenges and constraints

Within the European Union, there is no single fixed retention period for video recordings. The GDPR requires that data be kept for the shortest period necessary to achieve the intended purpose. In Guidelines 3/2019 on video devices, the EDPB emphasises that retention must be justified and proportionate to the risks involved. Sector-specific regulations may, however, impose explicit limits. In Poland, the Labour Code provides that employer CCTV recordings should not be retained for longer than three months, unless the footage constitutes evidence in legal proceedings, in which case retention may be extended until the final resolution of the case (Article 222 §3).

The status of vehicle licence plates as personal data varies by jurisdiction. Supervisory authorities and case law increasingly treat licence plates as personal data where there is a realistic possibility of linking them to an identifiable individual. A well-designed retention schedule should take this divergence into account, adopting a cautious approach documented in a DPIA, particularly for recordings captured in public spaces.

Practical examples for DPOs

Before implementing specific rules, data flows and risks should be carefully analysed. The following scenarios illustrate common retention decisions in image anonymisation projects.

• Workplace CCTV: Raw footage is used for security purposes and tied to statutory limits under labour law. Anonymised versions prepared for sharing with contractors or for training purposes may be retained longer, provided the blurring process removes any realistic possibility of identification.
• Evidentiary projects: Where a video segment constitutes legal evidence, the retention schedule triggers an exception with a deletion hold until proceedings are concluded. For disclosure to third parties, anonymised versions are used, with deletion deadlines specified in data processing agreements.
• Training face and licence plate detection models: Training datasets containing images of individuals require clearly defined retention periods and a documented legal basis. After training is completed, datasets are destroyed in accordance with NIST SP 800-88, while model weights generally remain, as they do not constitute personal data.
• On-premise operations: The retention schedule differentiates between input material, intermediate files from manual editing, and final output. The tool does not store detection logs containing personal data, limiting the scope of retained categories within the application. Full control over deletion remains with the data controller.

Normative references and sources

• GDPR - Article 5(1)(e), storage limitation principle. Official text: EUR-Lex, 2016, https://eur-lex.europa.eu/eli/reg/2016/679/oj.
• EDPB, Guidelines 3/2019 on the processing of personal data through video devices, adopted 29 January 2020, link.
• ISO 15489-1:2016, Information and documentation - Records management - Part 1: Concepts and principles. ISO, 2016, https://www.iso.org/standard/62542.html.
• ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. ISO/IEC, 2019, https://www.iso.org/standard/71670.html.
• NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, December 2014, https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final.
• Polish Labour Code, Article 22² §3 - retention of employer CCTV recordings. Consolidated text: Journal of Laws 2023, item 1465, ISAP.
• Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques (WP216), 10 April 2014, link.