Data Minimisation in GDPR

When it comes to storing processed data, the GDPR sets out some principles. Most importantly that data must stored for the shortest possible time and no longer than necessary. Legal obligations on how long that data can be stored must be taken into consideration. Storing the data for extended periods is only allowed for archival tasks or research in the fields of science and history, which will require additional security measures implemented such as encryption. Regardless of how long the data is stored, its veracity must be maintained at all times.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/how-long-can-data-be-kept-and-it-necessary-update-it_en