As part of our partnership, the Eurêkoi service has sent us your question.
You want to know from how many months loan transaction data must be deleted according to the GDPR in the context of libraries.
We refer you to a recent response from our department to a question similar to yours:
CNIL simplified standard n°9. Questions? Answers! 03/23/2021
As we said in this answer, if the simplified standard 09″ Libraries, media libraries” produced by the CNIL is legally void, thespirit of the text remains valid, this is moreover what is indicated the title page of the NS 09 standard still disseminated by the CNIL:
Following the entry into force of the GDPR, the standards adopted by the CNIL no longer have any legal value since May 25, 2018. Pending the production of GDPR standards, data controllers can draw inspiration from it to guide their first compliance actions. However, the CNIL draws attention to the need to ensure compliance with the new rules.
Therefore, you can refer to the following paragraph (p.3.):
Data retention period
During the term of use of the loan service with respect to the identity of the borrower. Radiation must take place automatically within 1 year from the end date of the previous loan. Until the end of the 4th month following the loan object return for information about each loan. Beyond this period, the information on magnetic media are destroyed; they may only be kept on paper for the needs and duration of any litigation. Until the next verification (inventory) and within the limit of a maximum duration of 10 years concerning the consultation of archival documents.
The loan data must therefore be kept until the end of the 4th month following the return of the loan.
For further :
Library: declaration of computer files of subscribers and loans. Questions? Answers! 03/19/2020
–
