The legally compliant preservation of electronic documents and personal data protection law are not parallel tracks: they are two distinct regimes that bear on the same process and must coexist. The most frequent point of tension is time. Article 5(1)(e) GDPR imposes limits that interact – sometimes in contradictory ways – with the sector-specific retention periods under the TUB, anti-money laundering rules, MiFID II and DORA. For banks and intermediaries, reconciling the two regimes is a governance choice that is tested in supervisory inspections and litigation.
Preservation is “processing”
In the vast majority of cases relevant to a supervised entity, an electronic document contains personal data. The definition in Article 4(1) GDPR is broad and, in light of Recital 26, extends to indirect identifiability: an IBAN or a unique client code, even without an accompanying name, remains personal data. The account agreement, the transparency disclosure letter, the bank statement, the contact centre recording, the anti-money laundering report, the customer due diligence form, and the home banking access log are, at the same time, legally significant instruments and structured collections of personal data.
A consequence set out in the legislation itself follows: Article 4(2) GDPR expressly lists “storage” among the processing operations. All the principles of Article 5 and the obligations flowing from them therefore apply in full to document preservation – the information notice (Articles 13-14), the records of processing activities (Article 30), the data protection impact assessment where risk is high (Article 35), security measures (Article 32), legal basis (Article 6), and data subject rights (Articles 15-22). In operational terms, this requires the preservation manual (paragraph 4.5 of the AgID Guidelines) and the records of processing activities (Article 30) to be aligned: same timeframes, same security measures, same chain of sub-processors. Where they diverge, the supervised entity is exposed on two fronts – before the supervisory authority and before the Data Protection Authority.
That the two regimes do not absorb each other is confirmed by a now-established case: in its decision of 13 April 2023, No. 128 (web doc. 9888438), the Garante sanctioned an institution that, having revoked a credit card on the basis of an external database used for anti-money laundering purposes, had neither responded to an access request under Article 15 GDPR nor provided an adequate information notice. The AML legal basis (Article 6(1)(c)) legitimises the retention, but does not absorb the transparency and access obligations – a principle confirmed by the Court of Justice of the EU in C-579/21 (Pankki S, 22 June 2023).
Data retention: Article 5(1)(e) as the closing parameter
Data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes” (Article 5(1)(e)). The provision does not prohibit retention beyond a given period: it prohibits retention in identifiable form for longer than necessary – a distinction that opens the door to anonymisation, which is permitted indefinitely.
For supervised entities, sector-specific sources each set their own document retention period (Article 119 TUB; Articles 31-32 of Legislative Decree 231/2007, read together with EU Regulation 2024/1624; Article 2220 of the Civil Code; MiFID II and Commission Delegated Regulation EU 2017/565; DORA, EU Regulation 2022/2554). Against this framework, Article 5(1)(e) operates as a closing parameter: it can correct downward periods that are disproportionate to the purpose, but does not extend them beyond what is strictly necessary. The existence of a legal obligation legitimises retention, but does not automatically legitimise retention for X years. Consistently, the retention period must appear – and coincide – in three places: the information notice (Articles 13-14), the records of processing (Article 30(1)(f)), and the preservation manual (paragraph 4.5 of the AgID Guidelines). It is the discrepancy between these documents that triggers any supervisory review.
The Garante has established two clear rules on how retention periods must be determined. First: the information notice cannot simply reproduce the text of Article 5(1)(e) – clauses such as “for the duration of the relationship and for the periods required by law” no longer pass an audit (decision of 28 July 2022, web doc. 9843603) and must be replaced with concrete indications, broken down by category of data and purpose. Second: retention periods must be determined by specific purpose, and not by applying a single timeframe to heterogeneous categories of data (a “block criteria” approach), as confirmed in a consistent line of decisions on geolocation, former employees’ logs and email metadata (among others, web docs. 9263597/2020 and 9920814/2023). Extension remains possible, but must be both requested and justified, including as to its duration: in the leading case (preliminary review of 18 April 2018, No. 233, web doc. 8997404), the Garante reduced marketing data retention from 15 to 10 years, requiring erasure or “permanent and irreversible” anonymisation upon expiry.
In summary, a defensible retention policy maps by category of data (not by document type) onto the Article 30 records; associates each category with a legal basis, purpose and justified retention period; applies the longest period only to the minimum data necessary; defines the cessation method (erasure, irreversible anonymisation or segregated archiving under Article 89); and makes erasure demonstrable through logs and records, automating it where possible (EDPB Guidelines 4/2019). Retention that cannot be documented during an inspection is, in itself, a breach.
The right to erasure and credit erasure in CIS
For supervised entities, the right to erasure is almost always a balancing exercise between the obligation to retain and the right to deletion. Article 17 GDPR sets out the grounds for erasure (paragraph 1) but also the relevant exceptions (paragraph 3), including compliance with a legal obligation (point (b)) and the establishment, exercise or defence of legal claims (point (e)); where erasure is not possible, restriction of processing under Article 18(1)(b) remains available. On delisting, the Court of Justice of the EU has defined the scope from Google Spain (C-131/12, 2014) through to TU and RE v. Google (C-460/20, 2022), which placed the burden of proving inaccuracy on the requester. Useful from an operational standpoint is the model of historical newspaper archives (Garante, web doc. 9577346/2021): erasure can be achieved through segregation of the archive (de-indexing, restricted access) rather than deletion – an Article 89 approach that banks can replicate for datasets relating to inactive customers.
The most common scenario is credit erasure in credit information systems. The matter is governed by the CIS Code of Conduct (Garante decision of 12 September 2019, No. 163, web doc. 9141501): the maximum retention periods (Article 6) run from the end of the conduct in question and are graded by severity – up to sixty months for unsettled arrears – beyond which any adverse listing is unlawful. The regime of the Bank of Italy’s Central Credit Register (Circular No. 139/1991) is distinct, being based on the persistence of risk rather than fixed time limits: when faced with a complaint, the first step is therefore to identify which system applies. The Court of Cassation, in a line of decisions favourable to the “rehabilitated” debtor (among others, No. 33013/2018 and No. 16358/2020), allows for erasure even before the expiry of the maximum periods where qualifying circumstances are present.
Operational implications
The operational message is that documentary compliance is not exhausted by correctness in the legally compliant preservation process, nor by isolated fulfilment of GDPR obligations: it plays out at the point of contact between the two regimes. Aligning the preservation manual with the processing records, determining retention periods by concrete purpose, designing erasure and anonymisation as automated and demonstrable processes, and pre-configuring the incident notification matrix: this is what distinguishes compliance understood as governance from compliance reduced to documentary box-ticking – and a position that holds up under inspection and in court from one that collapses at the first audit.
