Most people know GDPR exists. Few know what it actually entitles them to do, or when.
The result is that most people never exercise their rights at all and companies count on that. This guide explains what GDPR actually says, where specific time periods come from, and how to figure out what you can legitimately request from any company that holds your data. A well-grounded request that demonstrates you understand your rights is a different conversation than sending out generic templates.
GDPR does not set fixed retention periods
This surprises most people. GDPR has no article that says "delete data after X years." Article 5(1)(e), the storage limitation principle, says personal data must not be kept longer than necessary for the purpose it was collected for.
"Necessary" is deliberately vague. GDPR leaves organizations to define their own retention periods, document their reasoning, and justify it if a regulator asks. What GDPR prohibits is keeping data indefinitely with no justification, or retaining it for purposes other than the original one.
The specific numbers most people associate with GDPR, such as 7 years or 10 years, come from national tax and commercial laws that sit alongside GDPR. GDPR defers to them.
Where the actual periods come from
Different categories of data are governed by different laws, and those laws vary by country. The two categories that affect most people's everyday data trail are financial records and health records.
Financial records
Tax authorities require businesses to retain invoice and transaction records for a minimum number of years. This is the seller's obligation. As a buyer, you can request deletion of your data, but the company has a statutory defense for the invoice record itself during that window.
Across most of Europe the period is 5 to 10 years depending on the country, with 7 years being the most common floor. Switzerland and Italy sit at 10 years. Norway and Denmark are at 5. The UK is 6. Most of continental Europe falls in the 6 to 7 year range.
Health records
Healthcare providers, including doctors, hospitals, and pharmacists, are required to retain medical records for significantly longer periods, often 10 to 20 years depending on the country. Health data sits in a different category and is not a realistic candidate for routine deletion requests.
Everything else
For most of the data trail that actually affects people day to day, including webshops, newsletter subscriptions, software tools, forum registrations, and old accounts, there is no statutory minimum retention period. The company can only keep your data as long as they have a legitimate reason to do so. Once that reason is gone, so is their legal basis for holding it.
The question that determines what you can request
Whether you ever made a payment to a company determines what you can request and when.
No financial interaction
If you signed up for a service, subscribed to a newsletter, created an account, or registered for a forum, and no money ever changed hands, the company has no statutory defense for retaining your data beyond the original purpose. Once the purpose of collection is over, they have no legitimate basis. You can request full deletion.
Two years of inactivity is a reasonable threshold to trigger that request. There is no legal minimum you have to wait for. The weaker the engagement history, the cleaner the case. A free trial that never converted to a paid account, or a newsletter you subscribed to once and never opened, are the clearest examples. No invoice was generated, no financial record exists, and there is no retention obligation.
Financial interaction
If money changed hands at any point, the company holds invoice data that falls under their national tax retention obligation. You cannot force deletion of that record during the statutory window. What you can request is something more specific.
Tax law requires proof that a transaction happened: amount, date, applicable tax. It does not require your full personal identity to be permanently attached to that record. In a physical shop, a till receipt proves the sale without identifying you. The same principle applies to digital records.
This means you can request that your personal details, including your name, address, payment reference, and any marketing or preference data, be anonymized or removed from the transaction record while the financial record itself remains. A specific, well-reasoned request in the form of: "I request that my personal details be anonymized from transaction records while you retain the financial data required by law." This is a scoped request with a clear legal basis, and it will get a more substantive response than a generic deletion demand.
One note on returns: a returned order generates a credit note, which is itself a financial document the seller must retain. A return does not cancel the retention obligation. For a trial that expired without any charge being made, there is no financial record and no retention obligation, so the request for full deletion applies.
Request access before deletion
A deletion request tells a company to remove your data. An access request tells you what they actually have. If you delete first, you lose your evidence baseline. You will never know what existed, who it was shared with, or whether the deletion was complete.
The access response becomes your record. It shows you what data categories they hold, which third parties they have shared it with, and what retention periods apply to each category. That information shapes a more specific and harder-to-refuse deletion request, and gives you documentation if you need to escalate to a data protection authority. The sequence is: access first, review what they hold, then send a targeted deletion or anonymization request based on their own response.
What you can actually request, and when
No financial interaction, inactive for 2 or more years: full deletion request. The company has no remaining legal grounds to hold your data.
Financial interaction, between 2 and 7 years ago: anonymization request. Ask the company to retain the transaction record for tax compliance but strip your personal identifiers from it.
Financial interaction, more than 7 years ago: full deletion request. The statutory retention window has closed for most European jurisdictions. The company no longer has a legal obligation, or legal basis, to hold any of it.
Any sender, more than 10 years ago: start by checking whether the company still exists. Many will not. If they do, begin with an access request, providing only the minimum information needed to find your record. Confirm what they still hold and in what form, then follow up with a full deletion request based on their response.
When requesting access, you can ask that personal data be transmitted securely rather than via unencrypted email. A standard email response passes your personal data through your email provider and theirs. You can request that responses be sent via a password-protected file or a secure download link. Most companies will not have this capability, but the request puts the obligation on record.
What happens when you send a request
Companies are required to respond within one month. They can extend by two months for complex cases but must notify you within the first month. If they refuse, they must give a reason and inform you of your right to escalate to the relevant data protection authority in your country.
A refusal citing a statutory retention obligation is legitimate if the company is within the relevant window. A refusal citing "legitimate interest" on years-old data with no active relationship is much harder to defend, and that refusal itself becomes useful evidence if you escalate.
Smaller companies often comply with anonymization requests even when they are not strictly required to, because it takes less effort than arguing about it. Larger companies with integrated systems are more likely to cite technical reasons for declining. Neither outcome is bad. Either your data gets cleaner, or you have documented evidence of a refusal that supports a follow-up complaint.
You can also request that the correspondence relating to your request be deleted after handling. A support ticket created to process your deletion request has a specific purpose to delete your data. Once that purpose is fulfilled, there is no legitimate basis to retain it. This is worth stating explicitly in your request, so the new support ticket doesn't remain open again with all your data attached to it.
Reducing your exposure going forward
For purchases where identity verification is not required, paying with cash on delivery or a prepaid card means no payment processor record links the transaction to you by name. This is the digital equivalent of a physical shop transaction: the seller records the sale, not the buyer's identity. The practical limit here is that standard card and bank transfer payments link to your identity at the payment processor level regardless of what name you provide at checkout, so this only works where the payment method itself is not tied to your identity.
For newsletter subscriptions and free registrations, using a separate email address that does not contain your name limits how much of your data trail can be cross-referenced between companies in the event of a breach.
Neither approach eliminates your data footprint, but both reduce what companies can link back to you without a specific request on your part.
The bigger picture
GDPR is not a button you press to erase yourself. It is a framework that gives you specific, bounded rights depending on the nature of your relationship with each company that holds your data. Understanding those boundaries is the difference between a request that gets taken seriously and one that gets filed under "standard template, no action required."
The companies that treat GDPR requests as noise are counting on most people not knowing the difference. Now you do.
If you want to act on this, tools like Paperweight can help you identify which companies hold your data, classify the relationship, and generate legally grounded requests tailored to each case.