Question 13
Domain 2 — Personal Data Lifecycle ManagementWhich of the following is the MOST important consideration when determining retention periods for personal data?
Correct answer: B
Explanation
Retention periods should align with the purposes disclosed to individuals at collection, because privacy rules require organizations to tell customers how their data will be used and retained. Notice provided during data collection is the key reference point for setting a lawful retention schedule and avoiding keeping personal data longer than necessary.
Why each option is right or wrong
A. Sectoral best practices for the industry
Industry best practices are helpful guidance, but customer notice is the primary privacy commitment.
B. Notice provided to customers during data collection
Under GDPR Article 13(2)(a), when personal data are collected from the data subject, the controller must inform them of the storage period or, if that is not possible, the criteria used to determine it. That makes the collection-time notice the primary benchmark for setting retention, because the organization must be able to justify how long it keeps the data against the purposes already disclosed. Keeping data beyond that disclosed period, or without a defined criterion, risks violating the storage-limitation principle in Article 5(1)(e).
C. Data classi cation standards
Classification labels sensitivity and handling needs, not the promised retention duration.
D. Storage capacity available for retained data
Available storage affects cost and operations, not the lawful basis for keeping personal data.