What is storage limitation? (GDPR Art. 5(1)(e))

Storage limitation (GDPR Art. 5(1)(e)): personal data must be kept in a form permitting identification "no longer than necessary for the purposes". Practically: retention period set in advance per processing. Standard Dutch retention periods: applicant data (rejected) = max 4 weeks (NVP) — with consent 1 year. Customer data (active contract) = contract duration. Tax administration = 7 years (Dutch Awr Art. 52). Personnel file = 2 years post-employment (NVP) — exception payroll admin 7 years. Municipal CCTV = max 4 weeks (Municipalities Act 151c). Medical record = 20 years after last treatment (Dutch WGBO). Marketing data = duration of consent or objection. What must the business do? Record retention periods in RoPA, automatically delete + anonymise, minimise breach risk by holding less data. Pseudonymisation does not extend the period — it remains personal data (see pseudonymisation). Anonymisation does — then GDPR no longer applies. AP fines 2023-2025: multiple cases against businesses retaining data "forever" without justification. For you as a consumer: in access request explicitly ask "what is the retention period for this specific data?" — must answer under Art. 15.