CNIL guidance on data deletion and retention

In July 2020, the CNIL (DPA for France) published guidelines on data retention (Guide pratique – Les durées de conservation).

These reflect early CNIL recommendations from 11-Oct-2005 on the archiving of personal data.
They aim to provide practical help to define the data retention rules and periods.
Similar to DIN-66398 (German industry standard on data retention/deletion) they don’t include guidance on specific data categories.

However, CNIL does define data retention periods in separate dcouments (“Référentiel”). Up to now, two such Référentiels have been published for the health sector:

New Health Apps Section on

OCR launched a new feature on, titled Health Apps. This new webpage takes the place of OCR’s previous Health App Developer Portal, and is available at

The new webpage highlights OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:

Five Safes Framework

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

  • projects (Is this use of the data appropriate?),
  • people (Can the users be trusted to use it in an appropriate manner?),
  • settings (Does the access facility limit unauthorised use?),
  • data (Is there a disclosure risk in the data itself?) and
  • outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

See also