Why retention rules vary by country

Article 18 of the EU Whistleblower Directive sets a 'necessary and proportionate' standard but does not pick a number. National transpositions chose different rules: Germany's HinSchG §11(5) sets 3 years from closure; Italy's D.Lgs. 24/2023 leaves the period to be 'necessary' (ANAC reads as 5 years); Spain's Ley 2/2023 sets 10 years for criminal-proceeding cases; the others fall in between. A multinational running across these jurisdictions needs the matrix below.

Can retention be shorter than the national rule?

No. The national rule is the floor. Cases closed early can be deleted earlier only where they had no substantive content; otherwise the minimum applies. Retention can be longer where pending legal proceedings or regulatory inquiries require it.

What is the audit-log stub retention?

Audit-log stubs (timestamps and event types, without content) are retained for 7 years to demonstrate Article 18 compliance after the underlying case content has been deleted. The stub does not contain personal data of the reporter beyond pseudonymised event identifiers.

Free template · Updated May 2026

Whistleblower Channel Retention Schedule

A retention schedule mapping each data category to a defined period under each jurisdiction's transposition of EU Directive 2019/1937. Ready to adopt as part of the broader data-protection retention policy.

1. Default minimums by jurisdiction

Jurisdiction	Default retention from closure	Source
Germany	3 years	HinSchG §11(5)
France	Closure + 3 years (closed without follow-up); longer with proceedings	Décret n° 2022-1284
Italy	5 years (necessary period, ANAC Linee guida)	D.Lgs. 24/2023 Art. 14
Spain	10 years (criminal proceedings); 3 years (other)	Ley 2/2023 Art. 9
Netherlands	Necessary and proportionate; no fixed period	Wbk + AVG general principle
Ireland	5 years recommended	Protected Disclosures Code of Practice
Belgium	5 years from closure	Wet/Loi van 28 november 2022
Portugal	5 years from closure	Lei n.º 93/2021
Sweden	2 years from closure	Lag (2021:890)
Finland	5 years from closure	Whistleblower Protection Act 1171/2022
Denmark	5 years from closure	National Act 2022
Austria	5 years from closure	HSchG
UK (Public Interest Disclosure Act amendments)	6 years (limitation period)	PIDA + Limitation Act 1980

2. Retention by data category

Data	Retention	Trigger for deletion
Report content (text)	Per jurisdiction (section 1)	Case closure date + retention period
Attachments uploaded with reports	Per jurisdiction (section 1); special-category content shorter where viable	Case closure date + retention period
Reporter pseudonyms and case-channel communications	Same as report content	Case closure date + retention period
Audit log entries (full)	7 years from event date	Event date + 7 years
Audit log stubs (timestamps and event type only)	Indefinite within reasonable proportionality; reviewed every 10 years	Periodic review
Staff identity (case handler, manager) for case-handling purposes	Duration of role + 6 years	End of role + 6 years
Authentication logs (sign-ins, failed attempts)	12 months	Rolling 12-month window
Backups containing case data	30 days rolling	Daily expiry
Aggregate de-identified statistics (for trend analysis)	Indefinite	No deletion (no personal data)

3. Special category data

Where the case content includes special category data (Article 9 GDPR : health, sexual orientation, religion, political opinion, trade-union membership, genetic, biometric), the retention is reduced to the shortest period consistent with the jurisdiction's mandate. After case closure, the special-category attachment is reviewed; non-essential special-category material is redacted from the active record while the substantive findings are preserved.

4. Cases pending or relating to legal proceedings

Where the case relates to ongoing criminal, civil, or administrative proceedings, retention is extended to the conclusion of those proceedings plus the limitation period in the relevant jurisdiction. The extension is recorded in the case file with the legal basis.

5. Retention review workflow

Cases approaching the retention horizon are surfaced 90 days in advance by the case-management system.
The Head of Compliance (or delegate) reviews each case for any reason to extend (pending litigation, regulatory hold, ongoing remedial action).
For cases approved for deletion, the system executes deletion on the scheduled date and writes an audit-log entry recording the deletion.
The audit-log entry preserves the case code, the deletion date, and the legal basis; it does not retain the content.
Backups containing the deleted case content expire on the standard 30-day cycle.

6. Exceptions and overrides

Override	Authority	Documentation
Legal hold (litigation)	General Counsel	Written hold notice in case file
Regulatory hold	Head of Compliance	Written hold notice with regulator reference
Reporter request for early deletion	DPO	Article 17 GDPR analysis (see our guide)
Cross-border retention longer than local rule	DPO + Head of Compliance	Joint Controller Agreement reference

7. Audit and review

This Schedule is reviewed annually and after any change in national whistleblower law affecting retention. A quarterly sampling of deletions and extensions is performed by Internal Audit.

Owner: [DPO name]. Adopted: [yyyy-mm-dd]. Next review: [yyyy-mm-dd].