# Compliance Review Report — Nordbram Logistics AB Data Retention Policy v2.1

| | |
|---|---|
| **Entity** | Nordbram Logistics AB (fictional Swedish logistics company) |
| **Document** | `nordbram-retention-policy-v2.1.md` (DOC-GEKG, source SHA-256 `5448b09c624cc817790ba2e21eea994f82fa03429ffc71fb5339bf8dc65300b2`) |
| **Workflow** | Document Review (Paragraph-Cited), `1df0135f-7ebf-411b-9c80-a2b8d975cb25` |
| **Jurisdictions** | SE, EU (framework: GDPR) |
| **Generated** | 2026-07-02T20:26:22Z |
| **Approval** | User-review gate passed — "approved by operator for capture" |

## Summary

The document is Nordbram Logistics AB's Data Retention Policy v2.1 (approved 2025-11-04), covering personal data of employees, applicants, customers, carrier partners and visitors across Sweden and Norway. The policy states the correct general principle (retention only as long as necessary), but several concrete rules contradict it: indefinite retention of unsuccessful applicants' data, blanket 10-year full email archiving, discretionary postponement of disposal, and undefined backup and physical-archive schedules. Measured against GDPR Art. 5(1)(e) (storage limitation), Art. 17 (erasure), CJEU C-77/21 (Digi) and EDPB Guidelines 4/2019, the policy needs one critical and several major corrections; the 7-year bookkeeping-based periods are broadly aligned with bokföringslagen (1999:1078) 7 kap. 2 § but are applied too widely.

**Severity profile:** 1 critical · 3 major · 3 minor.

## Findings

### F-1 · CRITICAL — Indefinite retention of unsuccessful job applicants' data

> "CVs, cover letters, and interview notes of unsuccessful applicants are retained indefinitely in the HR system so that candidates can be considered for future opportunities." — policy § 6 [1]

Indefinite retention is directly incompatible with GDPR Art. 5(1)(e), which requires that personal data be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" [8]. EDPB Guidelines 4/2019 on Art. 25 add: "The controller shall limit the retention period to what is necessary for the purpose. If personal data is no longer necessary for the purpose of the processing, then it shall be deleted" [11]. Retention for speculative future recruitment is a different purpose than the completed recruitment and needs its own lawful basis and defined period.

*Unresolved:* the commonly referenced Swedish benchmark (~2 years for rejected-applicant data, tied to diskrimineringslagen limitation periods) could not be grounded in a specific quotable provision via the gateway in this session — only indirect cross-references surfaced (e.g. SFS 1999:678 § 50). The finding stands on Art. 5(1)(e) alone.

### F-2 · MAJOR — Blanket 10-year full-content email archiving for all staff

> "All staff email accounts are archived in full. Email archives are retained for ten (10) years for all staff regardless of role, to support potential dispute resolution and internal investigations." — policy § 9 [2]

Undifferentiated full archiving of every mailbox for 10 years conflicts with GDPR Art. 5(1)(e) (storage limitation) and Art. 5(1)(c) (data minimisation — "adequate, relevant and limited to what is necessary") [8]. CJEU C-77/21 *Digi* (ECLI:EU:C:2022:805) confirms the retention period must be assessed in the light of the purposes for which the data were collected [10]; "potential dispute resolution" for every mailbox does not establish necessity for a uniform 10-year period.

### F-3 · MAJOR — Discretionary postponement of disposal on "may still be useful" grounds

> "Disposal of customer data may be postponed if a department head indicates the data may still be useful." — policy § 14 [3]

"Usefulness" is not a lawful retention criterion. Art. 5(1)(b) limits further processing to compatible purposes, Art. 5(1)(e) requires deletion once data is no longer necessary [8], and Art. 17(1)(a) obliges erasure "without undue delay" where "the personal data are no longer necessary in relation to the purposes for which they were collected" [9]. Retention beyond the schedule is only permissible on defined legal grounds such as Art. 17(3)(e) (legal claims), which requires a concrete assessment, not a department head's indication of usefulness.

### F-4 · MAJOR — Backup retention unbounded; deletion not propagated to backups

> "Backup media are retained according to the backup rotation schedule maintained by IT Operations. Data deleted from production systems remains in backups until the relevant media are recycled." — policy § 11 [4]

The policy sets no maximum backup retention and defers entirely to an external rotation schedule, so the effective retention of deleted personal data is undefined. Storage limitation (Art. 5(1)(e)) applies to all copies including backups, Art. 17(1) requires erasure "without undue delay" [9], and under Art. 5(2) the controller must "be able to demonstrate compliance" [8] — an open-ended "until media are recycled" rule cannot do that.

### F-5 · MINOR — No defined retention or disposal schedule for physical records

> "Paper records are stored in the Gothenburg archive room and disposed of by the archive vendor when the responsible department requests it." — policy § 12 [5]

Disposal triggered only by ad-hoc departmental request means paper records containing personal data have no defined retention period at all, contrary to Art. 5(1)(e) and unable to be evidenced under Art. 5(2) [8]. EDPB Guidelines 4/2019 presuppose defined periods and an active deletion trigger [11].

### F-6 · MINOR — 12-month CCTV retention lacks documented necessity assessment

> "Camera recordings from terminal and warehouse premises are retained for twelve (12) months for security and incident investigation purposes." — policy § 13 [6]

Twelve months is long for routine security CCTV and the policy documents no necessity assessment, as Art. 5(1)(e) requires [8]. The Swedish supervisory authority IMY has published dedicated camera-surveillance guidance (*Vägledning vid kamerabevakning*, report 2021:2) against which the period should be justified [12].

*Unresolved:* IMY's specific acceptable storage durations (commonly days to a few weeks for routine surveillance) could not be retrieved as quotable text via the gateway; this finding is graded on the absence of a documented necessity assessment, not a numeric benchmark.

### F-7 · MINOR — Bookkeeping retention period applied beyond accounting records

> "Customer account data and shipment records are retained for the duration of the customer relationship plus seven (7) years after the final transaction, to meet bookkeeping obligations under the Swedish Accounting Act (bokföringslagen)." — policy § 4 [7]

Bokföringslagen (1999:1078) 7 kap. 2 § requires that accounting records "ska bevaras fram till och med det sjunde året efter utgången av det kalenderår då räkenskapsåret avslutades" [13] — the obligation attaches to *räkenskapsinformation*, and the period runs from the end of the calendar year in which the fiscal year closed, not from the final transaction. Applying it to all customer account data exceeds the legal obligation relied on; Art. 17(3)(b) only shields retention necessary "for compliance with a legal obligation" [9], and Art. 5(1)(e) requires the rest to be deleted or anonymised.

## Recommendations

| # | Priority | Finding | Action |
|---|----------|---------|--------|
| R-1 | **P1** | F-1 | Replace indefinite retention of unsuccessful applicants' data with a defined short period tied to the recruitment purpose; retain for future opportunities only with freely given consent and a stated expiry. |
| R-2 | **P1** | F-2 | Abolish blanket full-mailbox archiving; define role- and purpose-differentiated email retention periods with automated purging and documented necessity assessments. |
| R-3 | **P1** | F-3 | Remove the "may still be useful" clause; permit deviation only on documented legal grounds (e.g. GDPR Art. 17(3)(e)), approved and logged by the privacy function. |
| R-4 | P2 | F-4 | Set an explicit maximum backup retention period and a procedure ensuring production-erased data is purged from or excluded on restore from backups within a stated timeframe. |
| R-5 | P2 | F-5 | Assign fixed retention periods and scheduled disposal reviews to physical archive categories, with vendor-logged disposal. |
| R-6 | P2 | F-6 | Perform and document a CCTV-retention necessity assessment against IMY report 2021:2; shorten the 12-month period to what the assessment supports. |
| R-7 | P3 | F-7 | Limit 7-year retention to räkenskapsinformation per bokföringslagen 7 kap.; align the period start with the calendar-year rule; set separate shorter periods for other customer data. |

## References

Document citations (all hash-verified at submission and at report generation — no drift):

1. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p14` — hash `10fbdd1463a982e9c9b88338886191fe374be1c5e789c986231f346ec484f76a`
2. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p20` — hash `826355a8fce858cb028dea9bb2fcf1ea1adc7044e53d28ab797e3784fb40860a`
3. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p30` — hash `e839cc334ee69d4266d1cd473b01fd59a5cf3536d048dab3fdfc05c19b734356`
4. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p24` — hash `f63cf6e2742cc7aa770671c417533a6b7cd5d69d88f0ebd49dc394193e67b39c`
5. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p26` — hash `3b01dcaf473f5a8bdc0d9649b345ca9de8b5a087c1fa99490c7c26c9068577b5`
6. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p28` — hash `089b61ad98cf84e8c69fdd34ea6e132729321b77a467d23c989a865872649811`
7. `doc://1ad7b053-cf78-4e53-b11c-0ec85fb0da68/segment/paragraph/0.p10` — hash `97eef8936cb2cc98620f4db6f2c4883cb3dd9d7f012aa4ec47c0d2c6886e92da`

Regulatory sources (all retrieved via the Ansvar gateway this session):

8. GDPR Art. 5 (Regulation (EU) 2016/679) — https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_5
9. GDPR Art. 17 (Regulation (EU) 2016/679) — https://eur-lex.europa.eu/eli/reg/2016/679/oj#art_17
10. CJEU, Case C-77/21 *Digi*, ECLI:EU:C:2022:805 — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0077
11. EDPB Guidelines 4/2019 on Article 25 (Data Protection by Design and by Default) — https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en
12. IMY, *Vägledning vid kamerabevakning*, report 2021:2 — https://www.imy.se/publikationer/vagledning-vid-kamerabevakning
13. Bokföringslagen (1999:1078) 7 kap. 2 § — https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/sfs-1999-1078
