Skip to main content

Remove unnecessary sensitive information


The system must remove sensitive and personal information when it is no longer required.


Systems usually request sensitive or personal information from their users or collect it based on their interactions with the application. Regulations demand that none of these collections occur without the user's consent, and that it not be stored for more time than strictly necessary. Therefore, the system should delete this information after it is no longer required.


  • GDPR. Art. 5: Principles relating to processing of personal data.(1)(e): Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  • ISO 27001:2013. Annex A - 18.1.3: Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.

  • ISO 27001:2013. Annex A - 18.1.4: When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.

  • OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.8): Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires.

  • PCI DSS v3.2.1 - Requirement 3.1: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes for secure deletion of data when no longer needed.

  • PCI DSS v3.2.1 - Requirement 3.2.1: Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization.

  • PCI DSS v3.2.1 - Requirement 3.2.2: Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

  • PCI DSS v3.2.1 - Requirement 3.2.3: Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.