News Item

ENISA publishes new study on securing personal data in the context of data retention

Published on December 10, 2013

ENISA's new report aims at providing a set of recommendations for a common European approach on the security measures that should be taken in relation to retained data, taking into account existing specifications on security measures.

The new study provides the results of (a) a survey on the national implementation of the Data retention legislation in six selected Member States on the requirements regarding technical and organisational security measures and the implementation of the data security principles that are provided for in the Directive, and (b) a state-of-the-art analysis of the security measures proposed for the protection of personal data collected and stored in the context of the DRD.

Data Retention Directive:

In the case of the Data Retention Directive being revised, ENISA makes the following recommendations to European Commission for consideration in the context of the DRD Review process:

  • Include clear references to minimum security requirements for personal data protection.  State-of-the-art security frameworks have already been developed; changing the security mechanisms is neither easy nor inexpensive, however minimum security requirements should be imposed. 
  • A clear and realistic threat model should be considered, including also the reference to “deliberate” destruction, loss or alteration, storage, processing, access or disclosure.
  • Take into account the recently published measures applicable to the notification of personal data breaches included in the EC regulation (EU) No 611/2013 when specifying the appropriate technical and organisational security protection measures for retained data.
  • Taking into account the difficulties of smaller companies in complying with data retention obligations, and considering the possibilities that providers would consider outsourcing models for the storage of the retained data, which can potentially take place in third countries outside the EU, there should be no discrimination regarding the quality of personal data protection but consideration should be taken regarding the costs of implementing the required security measures.
  • Take into account the risks inherent in outsourcing the storage of retained data and provide clear rules on whether and, if so, how providers shall be allowed to outsource the storage of retained data.
  • Provide clear instructions on the procedures that have to be followed at the end of the retention period, when the data are to be deleted securely.  ENISA could support this by preparing guidelines for this purpose.
  • Include clear provisions on audits on compliance with the security measures that are taken for the retained data, specifying the time period within which an audit should be carried out and the entity that should be performing the audit (This recommendation is made sharing the opinion of Art 29 WP). 
  • Harmonise the time period within which the retained data have to be transmitted to the competent authorities.
  • Harmonise the sanctions that can be imposed when companies do not comply with the data security principles.


For the full ENISA report: Securing personal data in the context of data retention


Data retention legislation has been adopted to address concerns related to national security and serious criminal activity. The legislation provides access to communication data for law enforcement purposes. However, according to the Data Retention Directive (DRD) personal data collected, stored or in any way processed in most European Union (EU) Member States (MSs) needs to be securely protected, to meet the requirements of data protection legislation.

The transposition of the Data Retention Directive, published in 2006, into national legislation, has been, and still is, a challenging task. In light of the review of the Data Retention Directive an evaluation of the Directive was scheduled by the European Commission (EC) for 2010, aiming towards assessing the application and the impact of its implementation for different stakeholders. Following  a request by the Directorate General Home Affairs (DG HOME) of the EC, ENISA is supporting this process; ENISA (a) assessed the current implementation of data security measures for data retention in selected Member States and provides "best practice" recommendations in this respect and (b) provides state-of-the art recommendations for security measures in the context of data retention reform.




Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies