Document review: a retention policy, paragraph-cited
Your counsel or DPO needs a defensible review of the company's data-retention policy — every finding pinned to the exact paragraph it concerns, hash-anchored so it stays checkable after the next revision.
How the gateway answered
Captured 2 July 2026 — a point-in-time run; corpora and tools have been updated since.
Upload our data-retention policy and run a document review against GDPR storage-limitation requirements and Swedish practice. Cite the exact paragraph of the policy for every finding, and the regulatory basis from the sources — flag anything you can't ground.
register_document_init(filename="nordbram-retention-policy-v2.1.md" mime_type="text/markdown" file_size=3037)→ Error: documents_service_error: 415 (unsupported media type)register_document_init(filename="nordbram-retention-policy-v2.1.md" mime_type="text/markdown" file_size=3037)→ Retry — same error: documents_service_error: 415register_document_init(filename="nordbram-retention-policy-v2.1.md" mime_type="text/plain" file_size=3037)→ OK — document_id 1ad7b053-cf78-4e53-b11c-0ec85fb0da68 (DOC-GEKG), presigned PUT URL returned; bytes then PUT via curl with Content-Type text/plain, HTTP 200register_document_finalize(document_id="1ad7b053-cf78-4e53-b11c-0ec85fb0da68")→ status=ready, source SHA-256 5448b09c624cc817790ba2e21eea994f82fa03429ffc71fb5339bf8dc65300b2start_workflow(workflow_type="review" entity_description="Nordbram Logistics AB — review of data-retention poli…" jurisdictions=[SE, EU])→ workflow_id 1df0135f-7ebf-411b-9c80-a2b8d975cb25 started; first step upload.provide_documentsubmit_response(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" step_id="upload.provide_document" responses=[object Object] user_acknowledged=true)→ Rejected — at least 1 document must be registered to the workflow first (register_document)Show all 33 tool calls
get_document_segments(document_id="1ad7b053-cf78-4e53-b11c-0ec85fb0da68")→ Segment outline returned: 1 section + 32 paragraph refs (0.p1–0.p32) with char ranges and content hashesregister_document(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" document_id="1ad7b053-cf78-4e53-b11c-0ec85fb0da68" role="evidence")→ Bound to workflow, binding_id adb3c0c4-b84c-44d2-8e43-babf4b428e9dsubmit_response(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" step_id="upload.provide_document" responses=[object Object] user_acknowledged=true)→ Accepted — next step review.findingsget_current_step(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25")→ review.findings: requires summary, findings (id/title/observation/severity/evidence_references with doc:// paragraph URIs), recommendationssearch(query="storage limitation retention of personal data" jurisdictions=[SE, EU] frameworks=[GDPR] limit=10)→ 10 results: GDPR art_5, CJEU ECLI:EU:C:2022:805 (C-77/21 Digi), EDPB Guidelines 4/2019 relevant; rest off-topicsearch_guidance(query="retention periods storage limitation personal data de…" jurisdictions=[SE, EU] limit=10)→ EDPB Guidelines 4/2019 with quotable retention passage; remaining hits (CERT-SE newsletters etc.) irrelevantget_provision(jurisdiction="EU" law="GDPR" article="5")→ Full text of GDPR Art. 5 incl. 5(1)(b),(c),(e) and 5(2) accountability; canonical GDPR:art_5get_provision(jurisdiction="EU" law="GDPR" article="17")→ Full text of GDPR Art. 17 right to erasure incl. 17(1)(a), 17(3)(b),(e); canonical GDPR:art_17search_guidance(query="kamerabevakning lagringstid inspelat material" jurisdictions=[SE] limit=8)→ No relevant guidance — single CERT-SE newsletter hit onlysearch(query="gallring personuppgifter arbetssökande rekrytering" jurisdictions=[SE] limit=8)→ Indirect hits (GDPR art-88/recital-155, Swedish propositions); no quotable provision on applicant-data retention periodssearch(query="räkenskapsinformation arkivering sju år bokföringslag…" jurisdictions=[SE] limit=8)→ Bokföringslagen (1999:1078) surfaced incl. lookup ref; prop 2017/18:149 notes archiving period shortened 10→7 yearsget_provision(canonical_ref="1999:1078:7:2" jurisdiction="SE")→ Full text bokföringslagen 7 kap. 2 §: räkenskapsinformation kept until end of 7th year after calendar year fiscal year closedget_decision(jurisdiction="EU" canonical_ref="ECLI:EU:C:2022:805")→ CJEU C-77/21 Digi (2022-10-20): Art. 5(1)(b)+(e), purpose/storage limitation, retention period in light of purposessearch(query="kamerabevakning inspelat material bevarande" jurisdictions=[SE] limit=8)→ IMY 'Vägledning vid kamerabevakning' (2021:2) surfaced with lookup ref; also prop 2017/18:231 and HFD camera casesget_provision(canonical_ref="imy:vagledning-vid-kamerabevakning" jurisdiction="SE")→ Catalogue entry only (title/date/URL) — no substantive retention-duration text retrievablesearch(query="diskrimineringslagen preskription talan arbetssökande…" jurisdictions=[SE] limit=8)→ Only indirect refs (SFS 1999:678 § 50 cross-referencing diskrimineringslagen 2008:567); 1 source temporarily unavailable; no quotable limitation-period provisionresolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="Customer account data and shipment records are retain…")→ valid=true, paragraph fidelity, hash 97eef893...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="CVs, cover letters, and interview notes of unsuccessf…")→ valid=true, paragraph fidelity, hash 10fbdd14...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="All staff email accounts are archived in full...")→ valid=true, paragraph fidelity, hash 826355a8...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="Backup media are retained according to the backup rot…")→ valid=true, paragraph fidelity, hash f63cf6e2...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="Paper records are stored in the Gothenburg archive ro…")→ valid=true, paragraph fidelity, hash 3b01dcaf...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="Camera recordings from terminal and warehouse premise…")→ valid=true, paragraph fidelity, hash 089b61ad...resolve_document_segment(uri="doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/pa…" quote="Electronic data is deleted using the standard deletio…")→ valid=true, paragraph fidelity, hash e839cc33...submit_response(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" step_id="review.findings" responses=[object Object] evidence_references="[7 doc:// URIs + 6 regulatory URLs]" user_acknowledged=true)→ Accepted — next step review_handoff.user_reviewget_current_step(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25")→ review_handoff.user_review: server-enforced human gate, requires user_approvedsubmit_response(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" step_id="review_handoff.user_review" responses=[object Object] user_acknowledged=true)→ Accepted — next step report.generategenerate_report(workflow_id="1df0135f-7ebf-411b-9c80-a2b8d975cb25" format="json")→ Report generated: 7 findings (1 critical/3 major/3 minor), 7 recommendations, 13 provenance entries, all doc hashes verified, drifted=falseCompliance Review Report — Nordbram Logistics AB Data Retention Policy v2.1
| Entity | Nordbram Logistics AB (fictional Swedish logistics company) |
| Document | nordbram-retention-policy-v2.1.md (DOC-GEKG, source SHA-256 5448b09c624cc817790ba2e21eea994f82fa03429ffc71fb5339bf8dc65300b2) |
| Workflow | Document Review (Paragraph-Cited), 1df0135f-7ebf-411b-9c80-a2b8d975cb25 |
| Jurisdictions | SE, EU (framework: GDPR) |
| Generated | 2026-07-02T20:26:22Z |
| Approval | User-review gate passed — "approved by operator for capture" |
Summary
The document is Nordbram Logistics AB's Data Retention Policy v2.1 (approved 2025-11-04), covering personal data of employees, applicants, customers, carrier partners and visitors across Sweden and Norway. The policy states the correct general principle (retention only as long as necessary), but several concrete rules contradict it: indefinite retention of unsuccessful applicants' data, blanket 10-year full email archiving, discretionary postponement of disposal, and undefined backup and physical-archive schedules. Measured against GDPR Art. 5(1)(e) (storage limitation), Art. 17 (erasure), CJEU C-77/21 (Digi) and EDPB Guidelines 4/2019, the policy needs one critical and several major corrections; the 7-year bookkeeping-based periods are broadly aligned with bokföringslagen (1999:1078) 7 kap. 2 § but are applied too widely.
Severity profile: 1 critical · 3 major · 3 minor.
Findings
F-1 · CRITICAL …
Every claim traces to a source you can open
A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 6 sources — official legislation, guidance from standards bodies or regulators, and case_law — each a link you or your auditor can open and check. Nothing here is generated.
- GDPR (Regulation (EU) 2016/679), Art. 5 — incl. 5(1)(b) purpose limitation, 5(1)(c) data minimisation, 5(1)(e) storage limitation, 5(2) accountability (canonical ref GDPR:art_5)EU · regulation · eur-lex.europa.eu
- GDPR (Regulation (EU) 2016/679), Art. 17 — right to erasure, incl. 17(1)(a), 17(3)(b), 17(3)(e) (canonical ref GDPR:art_17)EU · regulation · eur-lex.europa.eu
- CJEU, Case C-77/21, Digi Távközlési és Szolgáltató Kft. v NAIH, judgment of 20 October 2022, ECLI:EU:C:2022:805 (CELEX 62021CJ0077)EU · case_law · eur-lex.europa.eu
- EDPB Guidelines 4/2019 on Article 25 — Data Protection by Design and by Default (retention-limitation passage on Art. 25(2))EU · guidance · edpb.europa.eu
- Bokföringslagen (1999:1078) 7 kap. 2 § — bevarandetid för räkenskapsinformation (until end of the seventh year after the calendar year in which the fiscal year closed), as amended by Lag (2024:342)SE · regulation · riksdagen.se
- IMY (Integritetsskyddsmyndigheten), Vägledning vid kamerabevakning, rapport 2021:2 (2021-05-26) — catalogue entry only; specific storage-duration text not retrievable via gateway this sessionSE · guidance · imy.se
Run this on your own data
Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.