UKHow long can a company keep my personal data?
A company in the UK must not keep your personal data longer than necessary for the purpose it was collected — there is no fixed time limit, but retention must be justified and regularly reviewed.
What the Law Says
UK data protection law sets strict limits on how long organisations may store personal data.
Under the UK General Data Protection Regulation (UK GDPR), personal data must be kept 'no longer than is necessary for the purposes for which the personal data are processed' — this is known as the storage limitation principle.
The Data Protection Act 2018 supports and supplements the UK GDPR. It does not set specific time limits (e.g., '6 months' or '5 years') — instead, organisations must determine appropriate retention periods based on the purpose, legal obligations, and risks involved.
Organisations must document their retention decisions and review them regularly. They must also be able to justify why data is retained for any given period if challenged by the Information Commissioner’s Office (ICO) or an individual.
Statutory TextPersonal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
— UK GDPR, Article 5(1)(e) — Principles relating to processing of personal data
Statutory TextThe controller shall implement appropriate technical and organisational measures to ensure that personal data is not kept for longer than necessary.
— UK GDPR, Article 25(1) — Data protection by design and by default
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.