Archimag : The specialized reference in digital information management
Know what you keep
Compliance is impossible without knowing where personal data is stored.
This means mapping your collections: registers, HR files, medical records, archived emails kept “just in case”, forgotten spreadsheets on servers. Practical tip: if you do not know where to start, work with your Data Protection Officer (DPO). They can help identify sensitive data and structure classification.
Minimise, sort, delete
The goal is not to declutter for its own sake, but to avoid retaining personal data without a legal basis:
- remove duplicates,
- securely destroy obsolete documents (shredding, certified deletion),
- retain only what has legal or archival value.
Under the GDPR (Article 6), data can be processed and retained if:
- required by law,
- necessary for a task carried out in the public interest (which applies to public archives),
- or, in limited cases, justified by legitimate interest.
Access to archives: not unrestricted
Access rules depend on the type of user:
- Internal access (staff, authorised researchers): apply clear authorisation rules, control access and maintain logs. Avoid uncontrolled sharing (e.g. via USB drives).
- External access (citizens, media, researchers): comply with legal access periods defined by national regulations.
Indicative retention periods include:
- 25 years for general privacy-related data,
- 50 years for documents affecting public security,
- 75 years for judicial records,
- 100 years for medical records,
- up to 120 years after birth for certain sensitive data.
In some cases, early access may be granted through specific authorisation procedures.
Document everything
A core principle applies: every action must be justifiable. Why is this record retained? Why was this file deleted? When and how was a request processed? All of this must be recorded in a processing register (Article 30 GDPR), which is essential in the event of an audit.
Recommendation: this responsibility should not rest on archivists alone. Work closely with DPOs, legal teams and contributing departments to define roles and documentation practices.
Daily best practices
- map your collections,
- eliminate unnecessary data,
- secure access to sensitive information,
- provide clear, legally validated responses to users,
- document all actions,
- stay up to date with regulatory guidance,
- do not work in isolation — consult DPOs or legal experts when needed.
It is also essential to formalise your practices through internal guidelines:
- specify the legal basis,
- define retention and access periods,
- document exceptions (anonymisation, special access requests),
- provide clear operational instructions.
These rules can be integrated into archival and records management systems to ensure consistency and traceability.
Anonymisation: more fragile than it seems
A common misconception persists:
- Anonymisation removes any link to an individual → outside GDPR scope
- Pseudonymisation replaces identifiers but remains reversible → still subject to GDPR
In practice, simply removing names or addresses is often insufficient. Contextual data - roles, dates, public information - can enable re-identification.
Constraint or opportunity?
The GDPR is often perceived as an administrative burden. Yet it also brings structure: less unnecessary data, clearer processes, and stronger protection of individual rights.
For archivists, it provides a framework to justify decisions: “here is the rule, and here is the evidence.”
This responsibility should be shared. DPOs, legal teams and operational departments are key partners. Together, they can turn GDPR compliance from a constraint into a professional asset - at the intersection of memory preservation and the protection of individual rights.
