Chapter 3 — Data Retention and Storage Limitation. Article 5(1)(e) of the General Data Protection Regulation (GDPR) establishes the principle of storage limitation, requiring that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The company has established the following retention periods: customer account data is retained for the duration of the active account relationship plus 24 months; transactional records are retained for 7 years in compliance with tax and accounting regulations; marketing consent records are retained for 3 years from the date of last interaction; application logs containing personal data are purged after 90 days; and backup archives are retained for 12 months with automated deletion thereafter. Data minimisation reviews are conducted quarterly by the Data Protection Officer to ensure that data collection practices remain proportionate to legitimate business purposes. Personal data that has exceeded its retention period must be securely deleted using NIST SP 800-88 compliant methods.