Manages retention exception workflows including request approvals, duration limits, periodic reviews, documentation, and audit trails to enforce GDPR storage limitation and prevent data hoarding.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin data-retention-skillsThis skill uses the workspace's default tool permissions.
Retention exceptions are formal, time-limited deviations from the approved data retention schedule. While the retention schedule defines default retention periods based on legal basis and processing purpose, legitimate business or legal circumstances may require retaining specific data beyond the scheduled period. Without a rigorous exception management process, exceptions become a mechanism fo...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Retention exceptions are formal, time-limited deviations from the approved data retention schedule. While the retention schedule defines default retention periods based on legal basis and processing purpose, legitimate business or legal circumstances may require retaining specific data beyond the scheduled period. Without a rigorous exception management process, exceptions become a mechanism for indefinite data hoarding that undermines the storage limitation principle under GDPR Article 5(1)(e). This skill defines the governance framework for requesting, approving, monitoring, and expiring retention exceptions.
The storage limitation principle requires that personal data not be kept longer than necessary. Any extension beyond the retention schedule must be justified and documented. Exceptions must be genuinely necessary, proportionate, and time-limited.
The controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles. Retention exceptions must be documented with sufficient detail to demonstrate that each exception is justified and proportionate.
Time limits should be established by the controller for erasure or for periodic review. Exceptions to these time limits must themselves be subject to periodic review.
| Category | Description | Maximum Duration | Approval Level |
|---|---|---|---|
| Legal hold | Litigation, regulatory investigation, or audit requiring data preservation | Duration of legal proceedings + 6 months | Legal Counsel (mandatory) |
| Regulatory requirement | New or updated regulatory requirement mandating extended retention not yet reflected in the schedule | Until schedule is updated (max 6 months) | DPO + Legal |
| Contractual obligation | Contract requires retention beyond default period | Duration of contractual obligation + limitation period | Business Owner + DPO |
| Ongoing dispute | Unresolved customer complaint or dispute not yet escalated to formal proceedings | 12 months (renewable) | DPO |
| Business continuity | Data needed for system migration, audit, or disaster recovery beyond normal period | 6 months (non-renewable without re-application) | IT Director + DPO |
| Research/statistical | Data needed for research or statistical purposes under Art. 89(1) | Duration of research project + 6 months | DPO + Research Lead |
| Public interest archiving | Data has archiving value in the public interest | Indefinite (with annual review) | DPO + Board approval |
The following are NOT legitimate grounds for retention exceptions:
RETENTION EXCEPTION REQUEST — Orion Data Vault Corp
-----------------------------------------------------
Request Reference: RET-EXC-2026-0014
Date Submitted: 2026-03-14
Requestor: [Name, Title, Department]
SECTION 1: DATA IDENTIFICATION
- Data Category (from retention schedule): [CAT-XXX]
- Specific data set / records: [Description]
- Number of data subjects affected: [Count or estimate]
- Current retention period: [Per schedule]
- Scheduled deletion date: [YYYY-MM-DD]
SECTION 2: EXCEPTION REQUEST
- Requested extension period: [Specific duration — NOT "indefinite"]
- Proposed new deletion date: [YYYY-MM-DD]
- Exception category (from table above): [Select one]
SECTION 3: JUSTIFICATION
- Detailed explanation of why the extension is necessary:
[Minimum 200 words — must address specific legal, regulatory,
contractual, or operational necessity]
- What would the consequence be if the data were deleted on schedule?
[Specific, concrete consequences — not speculative]
- What alternatives to retention were considered?
[e.g., anonymization, aggregation, partial deletion]
- Why were alternatives rejected?
[Specific reasons]
SECTION 4: PROPORTIONALITY ASSESSMENT
- Is the full data set needed, or can it be minimized?
[Detail which fields/records are genuinely needed]
- Can the data be pseudonymized during the exception period?
[Yes/No — if No, explain why]
- What access restrictions will be applied during the exception?
[Detail access controls]
- What is the sensitivity level of the data?
[Standard personal data / Special category / Financial / etc.]
SECTION 5: SUPPORTING DOCUMENTATION
- [Attach legal opinion, regulatory notice, contract clause, etc.]
Requestor Signature: _________________________
Date: _________________________
The DPO conducts an independent assessment of the exception request:
DPO ASSESSMENT — RETENTION EXCEPTION
-------------------------------------
Request Reference: RET-EXC-2026-0014
DPO: [Name]
Assessment Date: [YYYY-MM-DD]
NECESSITY TEST:
□ Is the exception genuinely necessary for the stated purpose?
□ Has the requestor demonstrated specific (not speculative) consequences of deletion?
□ Is the exception category legitimate per the approved framework?
PROPORTIONALITY TEST:
□ Is the requested duration proportionate to the stated need?
□ Has data minimization been applied (only necessary data retained)?
□ Are adequate access restrictions in place during the exception?
□ Has pseudonymization been applied where feasible?
LEGAL BASIS CHECK:
□ Does a valid legal basis exist for continued processing during the exception?
□ If the original legal basis was consent, has the data subject been informed?
□ Are any data subject rights affected (pending Art. 17 requests)?
RISK ASSESSMENT:
- Risk to data subjects from extended retention: [Low/Medium/High]
- Risk to organization from not retaining: [Low/Medium/High]
- Balance: [Retain / Delete / Partial retention]
RECOMMENDATION:
□ APPROVE — as requested
□ APPROVE WITH CONDITIONS — [specify conditions]
□ APPROVE REDUCED DURATION — [specify reduced period]
□ REJECT — [specify reasons]
DPO Signature: _________________________
Date: _________________________
| Exception Category | Required Approvals | Escalation |
|---|---|---|
| Legal hold | Legal Counsel (mandatory) | N/A — legal holds are mandatory |
| Regulatory requirement | DPO + Legal Counsel | Board if regulation impacts >10,000 data subjects |
| Contractual obligation | Business Owner + DPO | Legal Counsel if contract value >£500K |
| Ongoing dispute | DPO | Legal Counsel if dispute may escalate to litigation |
| Business continuity | IT Director + DPO | CTO if >6 months or >50,000 records |
| Research/statistical | DPO + Research Lead | Ethics Committee if special category data |
| Public interest archiving | DPO + Board approval | External legal opinion required |
Approved exceptions are recorded in the Retention Exception Register:
RETENTION EXCEPTION REGISTER — Orion Data Vault Corp
(Extract — Active Exceptions as of 2026-03-14)
┌──────────────────┬────────────────┬──────────┬──────────────┬──────────────┬────────────┬─────────────┐
│ Exception Ref │ Data Category │ Records │ Original │ Extended │ Category │ Next Review │
│ │ │ Affected │ Deletion │ Deletion │ │ │
├──────────────────┼────────────────┼──────────┼──────────────┼──────────────┼────────────┼─────────────┤
│ RET-EXC-2025-008│ CAT-003 Trans. │ 12,400 │ 2025-12-31 │ 2026-06-30 │ Regulatory │ 2026-03-31 │
│ │ Records │ │ │ │ (FCA audit)│ │
├──────────────────┼────────────────┼──────────┼──────────────┼──────────────┼────────────┼─────────────┤
│ RET-EXC-2026-003│ CAT-006 Appli- │ 340 │ 2026-01-15 │ 2026-07-15 │ Ongoing │ 2026-04-15 │
│ │ cant Data │ │ │ │ dispute │ │
├──────────────────┼────────────────┼──────────┼──────────────┼──────────────┼────────────┼─────────────┤
│ RET-EXC-2026-011│ CAT-002 Cust. │ 85,200 │ 2026-03-01 │ 2026-09-01 │ Business │ 2026-06-01 │
│ │ Account Data │ │ │ │ continuity │ │
│ │ │ │ │ │ (migration)│ │
└──────────────────┴────────────────┴──────────┴──────────────┴──────────────┴────────────┴─────────────┘
| Trigger | Action |
|---|---|
| Scheduled review date reached | Reassess necessity and proportionality; renew, reduce, or expire |
| Exception duration 75% elapsed | Alert to requestor and DPO — prepare renewal or deletion |
| Exception duration 100% elapsed | Automatic deletion unless renewal approved before expiry |
| Underlying circumstance resolved | Immediate reassessment — e.g., litigation concluded, migration completed |
| Data subject complaint | DPO review of specific exception affecting complainant |
| Annual retention schedule review | All active exceptions reviewed as part of annual schedule review |
[Exception Review Date Reached]
│
▼
[DPO Retrieves Exception Record]
│
▼
[Reassess Necessity]
│
├── Underlying circumstance still active?
│ ├── Yes ──► [Reassess proportionality and duration]
│ └── No ──► [Expire exception — schedule deletion within 30 days]
│
├── Can scope be reduced?
│ ├── Yes ──► [Minimize — delete non-essential records, pseudonymize remainder]
│ └── No ──► [Document why full scope still needed]
│
└── Has maximum allowable duration been reached?
├── Yes ──► [Expire exception — escalate if requestor objects]
└── No ──► [Renew with updated justification]
│
▼
[Update Exception Register]
[Notify requestor of outcome]
[Schedule next review date]
The DPO prepares a quarterly report for the Board containing: