Can the expiration of the data retention period for personal data collected and processed for marketing and profiling purposes based on the data subject's consent coincide with the potential withdrawal of consent?
According to what was recently established by the Italian Data Protection Authority, with the Decision dated 18 July 2023, it would seem not.
With this Decision, the Authority has indeed fined a leading telecommunications company, which had set the expiration date of the data retention period for marketing and profiling purposes based on the consent of the data subject as the date of (possible) withdrawal of such consent.
According to the Data Protection Authority, these retention periods, even if determined by the data controller in the exercise of its accountability, appear to be excessively extended, especially considering the general rule regarding retention periods already recommended by the Data Protection Authority in its decision dated 14 February 2005 (i.e., 24 months for marketing purposes and 12 months for profiling purposes).
The Authority has specified that, while valuing the principle of accountability, it cannot be concluded that a data controller, based on this principle which needs to be balanced with other fundamental principles under the GDPR, can deviate excessively from the provisions of the 2005 Decision without running the risk of violating the principle of data minimization.
As a result, the retention of data processed for marketing purposes until the date of consent withdrawal is considered inappropriate because it could potentially result in an indefinite duration, as the data subject may never change their will or maintain it unchanged for years.
This decision seems to modify - but only at first glance - the previous opinion expressed by the same Authority with the Decision dated 15 October 2020, under which individual data controllers are required to determine, on a case-by-case basis and based on their accountability, how long it is lawful to process personal data for marketing or profiling purposes in accordance with the various principles of lawfulness, proportionality, necessity, minimization, and limitation of retention as outlined in Article 5 of the GDPR. In that case, based on that principle, the reasons given by the data controller to justify a data retention period for marketing purposes "until consent is withdrawn" were recognized as valid.
In the hope of any further clarification from the Authority, it would seem more appropriate to adhere to the "general rule" expressed in the 2005 Decision, unless there are valid reasons that, in the exercise of one's accountability, can justify a longer retention period.