End of July, the Austrian Data Protection Authority ('DPA') published its first decision on retention periods applying the General Data Protection Regulation ('GDPR'; DSB-D216.471/0001-DSB/2018). The decision is final. The DPA had to decide for which period a provider of telecommunications services (hereinafter: the 'controller') may (respectively must) retain so called master data, required for the controller's legal relationship with the user of its services (hereinafter: the 'applicant').
The controller retained the applicant's master data for ten years. The controller claimed it is lawful to retain such data based on section 207 (2) of the Austrian Federal Fiscal Code (BAO).
The second sentence of section 207 (2) BAO is a provision containing a period of limitation. In cases of tax evasion, the tax authority may determine the amount to levy taxes within ten years from the end of the calendar year. According to the DPA, retaining data on the basis of the limitation period in that provision, was not in compliance with the GDPR, considering that limitation periods do not contain legal obligations to retain records. Whereas, retaining master data for seven years was considered lawful, because section 132 BAO obliges the controller to retain certain books and records for seven years.
In this particular case, it has to be considered that the DPA's decision was driven by a specific telecommunications provision, namely section 97 (2) TKG 2003. This provision explicitly allows data storage only for certain purposes such as compliance with a legal obligation. Driven by that provision, the DPA refused to accept a provision about a period of limitation (such as section 207 (2) BAO) to achieve the quality of a "legal obligation". However, it becomes obvious that the regulator is hesitant to accept periods of limitation to allow for data storage in all cases. It remains to be seen how this case law will evolve insofar as periods of limitation are concerned.