May I retain customer data for 10 years?

"Customer data" consists of many different data types with different retention periods — see also storage limitation. Standard NL retention periods: Financial administration (invoices, payments, VAT) = 7 years Dutch Tax Act Art. 52 (10 years for real estate). Customer account (login, profile) = contract duration + max 2 years for administrative settlement. Marketing data (newsletter, profiling) = until consent withdrawn. Dutch anti-ML client research = 5 years after end of relationship. Pension data = 50+ years (Pensions Act). CCTV footage = max 4 weeks (AP). Application data (rejected) = 4 weeks NVP, with consent 1 year. 10-year retention legal? Only for: (a) real estate administration. (b) Specific statutory duties (e.g. medical record 20 years WGBO). (c) Pending civil proceedings (5+ years). For regular CRM data 10 years = not substantiated. What to do? Build RoPA (records register) with per-type retention. Set up automatic deletion procedure. Customer can ask via Art. 15 what retention applies — no solid answer = GDPR violation. Fines 2023-2025: multiple cases against businesses retaining data "forever" (€50k-€500k).