This section covers the guidelines on Data Retention by TPPs for the User data obtained as part of a Data Sharing request.

1. Consent Revocation

The User has revoked a long-lived data-sharing consent with the TPP.

Here is a use-case example:  

TPP offers a Personal Finance Manager app that provides insights on spend and predictions and they use the data collected via OF to satisfy part of their proposition. The User is onboarded and KYCed by the TPP for this service. The User subscribes to the services offered by the TPP and has given their long-lived OF consent. After a few months, the User ends the monthly subscription and revokes their consent for Data Sharing. 

This should not imply that the TPP has to delete the data acquired so far. The User relationship still exists with the TPP and the User can still access any free content which could be dependent on the OF data.  For e.g. The User could still want to view the historical insights, the TPP could still offer limited services based on User account product information with the LFI and so on.

If an Open Finance (OF) consent is revoked by the User then that must NOT imply that the data obtained from OF must be deleted by the TPP.  This data is part of the overall User data with the TPP and the TPP as the Data controller must be able to justify the handling of the OF data as governed by the underlying Data Protection Law. The User however must have the explicit right to request deletion of the data.

 Therefore under this compliance, TPP(Data Controller) must 

• Know what personal data they hold onto and why they need it.

• Must be able to justify how long they keep the personal data.

• have a policy with standard retention periods.

• regularly review the information and erase or anonymize the whole or part of personal data they no longer need.

A licensed TPP is responsible for compliance with the Data Protection Laws for all data acquired by the User where the OF data is just a part of it.

The OF guidelines on handling historical data post revocation of a Long-Lived consent are the following :

• the TPP MUST confirm what happens to any existing data the TPP has already retrieved and which data they no longer require and will be deleted (per Data Protection Laws). This information must be available in the Terms and Conditions agreed by the User.

• the TPP MUST provide an option on the consent management dashboard to allow the User to delete all historic data when the consent is revoked. This could be a call to action on the dashboard or information on how the User can request the deletion of the data.

2. Account Deletion

If the PSU deletes the account with the TPP and ends the relationship, the TPP may need to continue holding some of the information for legal or operational reasons for a further set time. This minimum information could be from the OF data.

On termination of the relationship with the customer-facing TPP, the TPP MUST 

• confirm to the User which of the OF data they need to continue holding for legal or operational reasons. This information must be available in the Terms and Conditions agreed by the User.

• confirm the deletion of the remaining OF data by communicating this to the User.