How long may we keep our backup data, and is that different from production retention?

A backup is a copy. A copy of personal data falls under GDPR too, and the same retention rules apply in principle, with a key nuance: regulators accept that backup runs on a 'rolling' window.

Try this first

1. 1Production retention (admin 7 years, medical longer, marketing limited to consent) is your hard ceiling. Keeping backup data beyond that is grounds for purge or anonymisation.
2. 2For backups specifically there's 'rolling retention': you don't have to track precisely which user is in which backup, as long as backups expire automatically after a reasonable window (30, 90 or 180 days).
3. 3On a right-to-be-forgotten request you don't need to scrub every backup. Regulators accept the data leaving via normal rotation within X days, provided production deletion is immediate.
4. 4Document explicitly: which retention in which backup tier, and how production deletion propagates. Common audit question.
5. 5Long-term archive is not the same as backup: archive is intentionally long-term, with its own legal basis and policy. Don't confuse them.
6. 6Set backup retention honestly: not 7 years because 'storage is cheap', but the minimum that meets RTO and legal duties.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.