{
  "workflow_id": "1df0135f-7ebf-411b-9c80-a2b8d975cb25",
  "document_id": "1ad7b053-cf78-4e53-b11c-0ec85fb0da68",
  "entity_description": "Nordbram Logistics AB — fictional Swedish logistics company; review of data-retention policy v2.1 against GDPR storage-limitation requirements and Swedish practice",
  "generated_at": "2026-07-02T20:26:22.050844+00:00",
  "summary": "The document is Nordbram Logistics AB's Data Retention Policy v2.1 (approved 2025-11-04), covering personal data of employees, applicants, customers, carrier partners and visitors across Sweden and Norway. The policy states the correct general principle (retention only as long as necessary), but several concrete rules contradict it: indefinite retention of unsuccessful applicants' data, blanket 10-year full email archiving, discretionary postponement of disposal, and undefined backup and physical-archive schedules. Measured against GDPR Art. 5(1)(e) (storage limitation), Art. 17 (erasure), CJEU C-77/21 (Digi) and EDPB Guidelines 4/2019, the policy needs one critical and several major corrections; the 7-year bookkeeping-based periods are broadly aligned with bokföringslagen (1999:1078) 7 kap. 2 § but are applied too widely.",
  "findings": [
    {
      "id": "F-1",
      "title": "Indefinite retention of unsuccessful job applicants' data",
      "observation": "Section 6 states: \"CVs, cover letters, and interview notes of unsuccessful applicants are retained indefinitely in the HR system so that candidates can be considered for future opportunities.\" Indefinite retention is directly incompatible with GDPR Art. 5(1)(e), which requires personal data be \"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed\" (GDPR:art_5, retrieved via get_provision). EDPB Guidelines 4/2019 on Art. 25 add: \"The controller shall limit the retention period to what is necessary for the purpose. If personal data is no longer necessary for the purpose of the processing, then it shall be deleted\". Retention for speculative future recruitment is a different purpose than the completed recruitment and needs its own lawful basis and defined period. NOTE (unresolved): the commonly referenced Swedish practice benchmark (retaining rejected-applicant data ~2 years to defend discrimination claims under diskrimineringslagen) could not be grounded in a specific provision via the gateway in this session; the gateway surfaced only indirect references (e.g. SFS 1999:678 § 50 cross-referencing diskrimineringslagen 2008:567 rules on preskription). The finding stands on Art. 5(1)(e) alone.",
      "severity": "critical",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p14",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
        "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-2",
      "title": "Blanket 10-year full-content email archiving for all staff",
      "observation": "Section 9 states: \"All staff email accounts are archived in full. Email archives are retained for ten (10) years for all staff regardless of role, to support potential dispute resolution and internal investigations.\" Undifferentiated full archiving of all mailboxes for 10 years regardless of role conflicts with GDPR Art. 5(1)(e) (storage limitation) and Art. 5(1)(c) (data minimisation: data must be \"adequate, relevant and limited to what is necessary\") (GDPR:art_5, retrieved). CJEU C-77/21 Digi (ECLI:EU:C:2022:805, retrieved via get_decision) confirms that the retention period must be assessed in the light of the purposes for which the data were collected; 'potential dispute resolution' for every mailbox does not establish necessity for a uniform 10-year period.",
      "severity": "major",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p20",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
        "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0077"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-3",
      "title": "Discretionary postponement of disposal on 'may still be useful' grounds",
      "observation": "Section 14 states: \"Disposal of customer data may be postponed if a department head indicates the data may still be useful.\" 'Usefulness' is not a lawful retention criterion. GDPR Art. 5(1)(b) limits further processing to purposes compatible with those of collection, Art. 5(1)(e) requires deletion once data is no longer necessary, and Art. 17(1)(a) obliges the controller to erase personal data \"without undue delay\" where \"the personal data are no longer necessary in relation to the purposes for which they were collected\" (GDPR:art_17, retrieved). Retention beyond the schedule is only permissible on defined legal grounds such as Art. 17(3)(e) (establishment, exercise or defence of legal claims), which requires a concrete assessment, not a department head's indication of usefulness.",
      "severity": "major",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p30",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_17",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-4",
      "title": "Backup retention unbounded and deletion not propagated to backups",
      "observation": "Section 11 states: \"Backup media are retained according to the backup rotation schedule maintained by IT Operations. Data deleted from production systems remains in backups until the relevant media are recycled.\" The policy sets no maximum backup retention period and defers entirely to an external rotation schedule, so the effective retention of deleted personal data is undefined. Under GDPR Art. 5(1)(e) storage limitation applies to all copies including backups, and Art. 17(1) requires erasure \"without undue delay\"; an open-ended 'until media are recycled' rule cannot demonstrate compliance (Art. 5(2) accountability: the controller must \"be able to demonstrate compliance\") (GDPR:art_5 and GDPR:art_17, retrieved).",
      "severity": "major",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p24",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_17"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-5",
      "title": "No defined retention or disposal schedule for physical records",
      "observation": "Section 12 states: \"Paper records are stored in the Gothenburg archive room and disposed of by the archive vendor when the responsible department requests it.\" Disposal triggered only by ad-hoc departmental request means paper records containing personal data have no defined retention period at all, contrary to GDPR Art. 5(1)(e) and impossible to evidence under Art. 5(2) accountability (GDPR:art_5, retrieved). EDPB Guidelines 4/2019 require the controller to limit the retention period to what is necessary and delete data when no longer needed — which presupposes defined periods and an active deletion trigger.",
      "severity": "minor",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p26",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
        "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-6",
      "title": "12-month CCTV retention lacks documented necessity assessment",
      "observation": "Section 13 states: \"Camera recordings from terminal and warehouse premises are retained for twelve (12) months for security and incident investigation purposes.\" Twelve months is a long retention period for routine security CCTV and the policy documents no necessity assessment supporting it, as GDPR Art. 5(1)(e) requires (data kept \"no longer than is necessary for the purposes\") (GDPR:art_5, retrieved). The Swedish supervisory authority IMY has published dedicated camera-surveillance guidance ('Vägledning vid kamerabevakning', report 2021:2, surfaced via the gateway), against which the period should be justified. NOTE (unresolved): the specific maximum storage durations IMY considers acceptable in practice (commonly days to a few weeks for routine surveillance) could not be retrieved as quotable text via the gateway in this session; this finding is therefore graded on the absence of a documented necessity assessment, not on a specific numeric benchmark.",
      "severity": "minor",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p28",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
        "https://www.imy.se/publikationer/vagledning-vid-kamerabevakning"
      ],
      "evidence_unconfirmed": false
    },
    {
      "id": "F-7",
      "title": "Bookkeeping retention period applied beyond accounting records",
      "observation": "Section 4 states: \"Customer account data and shipment records are retained for the duration of the customer relationship plus seven (7) years after the final transaction, to meet bookkeeping obligations under the Swedish Accounting Act (bokföringslagen).\" Bokföringslagen (1999:1078) 7 kap. 2 § (retrieved via get_provision) requires that accounting records (räkenskapsinformation) \"ska bevaras fram till och med det sjunde året efter utgången av det kalenderår då räkenskapsåret avslutades\" — i.e. the obligation attaches to accounting records, and the period runs from the end of the calendar year in which the fiscal year closed, not from the final transaction. Applying this period to all customer account data (e.g. contact persons, marketing profiles, portal accounts) exceeds the legal obligation relied on; GDPR Art. 17(3)(b) only shields retention that is necessary \"for compliance with a legal obligation\" (GDPR:art_17, retrieved), and Art. 5(1)(e) requires the rest to be deleted or anonymised when no longer necessary.",
      "severity": "minor",
      "evidence_references": [
        "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p10",
        "https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/sfs-1999-1078",
        "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_17"
      ],
      "evidence_unconfirmed": false
    }
  ],
  "recommendations": [
    {
      "id": "R-1",
      "finding_ids": [
        "F-1"
      ],
      "action": "Replace indefinite retention of unsuccessful applicants' data with a defined short period tied to the recruitment purpose (deletion after the recruitment concludes plus a documented claims-defence window), and retain for future opportunities only with the candidate's freely given consent and a stated expiry.",
      "priority": "p1"
    },
    {
      "id": "R-2",
      "finding_ids": [
        "F-2"
      ],
      "action": "Abolish blanket full-mailbox archiving; define role- and purpose-differentiated email retention periods, apply automated purging at period end, and document the necessity assessment for any category retained longer.",
      "priority": "p1"
    },
    {
      "id": "R-3",
      "finding_ids": [
        "F-3"
      ],
      "action": "Remove the 'may still be useful' postponement clause; permit deviation from the disposal schedule only on documented legal grounds (e.g. establishment, exercise or defence of legal claims under GDPR Art. 17(3)(e)), approved and logged by the privacy function.",
      "priority": "p1"
    },
    {
      "id": "R-4",
      "finding_ids": [
        "F-4"
      ],
      "action": "Set an explicit maximum retention period for backup media in the policy, and document a procedure ensuring data erased in production is excluded or purged from backups within a defined, stated timeframe (including on restore).",
      "priority": "p2"
    },
    {
      "id": "R-5",
      "finding_ids": [
        "F-5"
      ],
      "action": "Assign fixed retention periods and scheduled disposal reviews to physical archive categories, with disposal logged by the archive vendor rather than triggered only by departmental request.",
      "priority": "p2"
    },
    {
      "id": "R-6",
      "finding_ids": [
        "F-6"
      ],
      "action": "Perform and document a necessity assessment for CCTV retention against IMY's camera-surveillance guidance (report 2021:2); shorten the 12-month period to what the assessment actually supports, with longer retention only for footage tied to a specific incident.",
      "priority": "p2"
    },
    {
      "id": "R-7",
      "finding_ids": [
        "F-7"
      ],
      "action": "Limit the 7-year bookkeeping retention to räkenskapsinformation as defined by bokföringslagen 7 kap., align the period's start with the end of the calendar year in which the fiscal year closed, and set separate, shorter periods for non-accounting customer data.",
      "priority": "p3"
    }
  ],
  "citation_provenance": [
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p10",
      "kind": "segment",
      "section_title": null,
      "text_preview": "Customer account data and shipment records are retained for the duration of the customer relationship plus seven (7) yea",
      "content_hash_at_submit": "97eef8936cb2cc98620f4db6f2c4883cb3dd9d7f012aa4ec47c0d2c6886e92da",
      "content_hash_now": "97eef8936cb2cc98620f4db6f2c4883cb3dd9d7f012aa4ec47c0d2c6886e92da",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p14",
      "kind": "segment",
      "section_title": null,
      "text_preview": "CVs, cover letters, and interview notes of unsuccessful applicants are retained indefinitely in the HR system so that ca",
      "content_hash_at_submit": "10fbdd1463a982e9c9b88338886191fe374be1c5e789c986231f346ec484f76a",
      "content_hash_now": "10fbdd1463a982e9c9b88338886191fe374be1c5e789c986231f346ec484f76a",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p20",
      "kind": "segment",
      "section_title": null,
      "text_preview": "All staff email accounts are archived in full. Email archives are retained for ten (10) years for all staff regardless o",
      "content_hash_at_submit": "826355a8fce858cb028dea9bb2fcf1ea1adc7044e53d28ab797e3784fb40860a",
      "content_hash_now": "826355a8fce858cb028dea9bb2fcf1ea1adc7044e53d28ab797e3784fb40860a",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p24",
      "kind": "segment",
      "section_title": null,
      "text_preview": "Backup media are retained according to the backup rotation schedule maintained by IT Operations. Data deleted from produ",
      "content_hash_at_submit": "f63cf6e2742cc7aa770671c417533a6b7cd5d69d88f0ebd49dc394193e67b39c",
      "content_hash_now": "f63cf6e2742cc7aa770671c417533a6b7cd5d69d88f0ebd49dc394193e67b39c",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p26",
      "kind": "segment",
      "section_title": null,
      "text_preview": "Paper records are stored in the Gothenburg archive room and disposed of by the archive vendor when the responsible depar",
      "content_hash_at_submit": "3b01dcaf473f5a8bdc0d9649b345ca9de8b5a087c1fa99490c7c26c9068577b5",
      "content_hash_now": "3b01dcaf473f5a8bdc0d9649b345ca9de8b5a087c1fa99490c7c26c9068577b5",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p28",
      "kind": "segment",
      "section_title": null,
      "text_preview": "Camera recordings from terminal and warehouse premises are retained for twelve (12) months for security and incident inv",
      "content_hash_at_submit": "089b61ad98cf84e8c69fdd34ea6e132729321b77a467d23c989a865872649811",
      "content_hash_now": "089b61ad98cf84e8c69fdd34ea6e132729321b77a467d23c989a865872649811",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p30",
      "kind": "segment",
      "section_title": null,
      "text_preview": "Electronic data is deleted using the standard deletion functions of each system. Physical records are shredded by the co",
      "content_hash_at_submit": "e839cc334ee69d4266d1cd473b01fd59a5cf3536d048dab3fdfc05c19b734356",
      "content_hash_now": "e839cc334ee69d4266d1cd473b01fd59a5cf3536d048dab3fdfc05c19b734356",
      "drifted": false,
      "resolvable_now": true,
      "resolved_at_submit": "2026-07-02T20:25:56.817957+00:00"
    },
    {
      "ref": "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5",
      "kind": "external_url",
      "drift_applicable": false
    },
    {
      "ref": "https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_17",
      "kind": "external_url",
      "drift_applicable": false
    },
    {
      "ref": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0077",
      "kind": "external_url",
      "drift_applicable": false
    },
    {
      "ref": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en",
      "kind": "external_url",
      "drift_applicable": false
    },
    {
      "ref": "https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/sfs-1999-1078",
      "kind": "external_url",
      "drift_applicable": false
    },
    {
      "ref": "https://www.imy.se/publikationer/vagledning-vid-kamerabevakning",
      "kind": "external_url",
      "drift_applicable": false
    }
  ]
}
