DAC8 Data Retention: How Long to Keep Records

Data retention is a critical but often overlooked aspect of DAC8 compliance. Reporting entities must not only collect and report customer and transaction data but also retain that data, along with supporting documentation, for specified periods. At the same time, data protection requirements under the General Data Protection Regulation (GDPR) impose constraints on how long personal data may be kept. Navigating these overlapping requirements is essential.

What Must Be Retained

DAC8 reporting obligations generate several categories of records that must be preserved. Each serves a different purpose and may be subject to different retention requirements.

Self-Certifications

When customers provide self-certifications declaring their tax residence and Taxpayer Identification Number (TIN), the reporting entity must retain a copy of the self-certification form and any supporting evidence used to assess its reasonableness. This includes the original certification and any updated versions provided by the customer.

Customer Due Diligence Records

All records related to the identification and verification of reportable users must be retained. This includes identity documents collected, the results of any verification checks, and records of the procedures followed. If a customer's status was assessed and determined to be non-reportable, records supporting that determination should also be kept.

Transaction Data

The underlying transaction records that form the basis of the reported figures must be preserved. This includes individual transaction records, the exchange rates applied, the fiat currency values calculated, and any aggregation logic used to produce the reported totals.

Reports and Submission Records

Copies of the actual reports submitted to national tax authorities should be retained, along with evidence of submission (confirmation receipts, timestamps, portal acknowledgements). If corrections or amendments were filed, retain both the original and corrected versions.

Internal Process Documentation

Records demonstrating that the entity implemented and followed appropriate due diligence and reporting procedures are valuable. This includes policy documents, procedural manuals, staff training records, and audit trail documentation.

Retention Periods

The specific retention period applicable to DAC8 records is determined by the directive and by national implementing legislation. The directive framework generally aligns with the approach taken under the Common Reporting Standard (CRS), which requires that records be retained for a minimum period following the end of the reporting period to which they relate.

Under the DAC framework, member states are expected to require retention for a period that is sufficient to support tax administration, audit, and enforcement activities. In practice, a retention period of at least five years from the end of the reporting period is commonly anticipated, consistent with the approach applied to CRS and other automatic exchange of information regimes.

However, the exact retention period may vary by member state. Reporting entities must check the specific requirements set out in the national transposition legislation for each jurisdiction where they have reporting obligations.

Key point: Retention obligations apply from the end of the period to which the data relates, not from the date of collection or submission. For data relating to the 2026 reporting period, a five-year retention requirement would mean keeping records until at least the end of 2031.

GDPR Interaction

The retention of personal data for DAC8 compliance purposes must be reconciled with obligations under the GDPR. The two regimes create a tension: DAC8 requires data to be kept for compliance and audit purposes, while the GDPR requires that personal data not be retained longer than necessary for the purpose for which it was collected.

Lawful Basis for Retention

The GDPR provides a lawful basis for processing (including retention) of personal data where it is necessary for compliance with a legal obligation. DAC8 reporting is a legal obligation imposed by EU and national law, which provides a solid basis for retaining the required data for the specified retention period.

Data Minimisation

Even where retention is lawful, the GDPR's data minimisation principle applies. Reporting entities should only retain the specific data elements required for DAC8 compliance purposes, and should not use the existence of a DAC8 retention obligation as a justification for retaining unrelated personal data.

Purpose Limitation

Data collected and retained specifically for DAC8 compliance should not be repurposed for other uses (such as marketing) without an independent lawful basis. Ensure that DAC8 data is clearly identified and that access is restricted to those with a legitimate compliance need.

Deletion After the Retention Period

Once the applicable retention period has expired and there is no other legal basis for retaining the data, reporting entities are expected to delete or anonymise the personal data. Establish a clear data lifecycle policy that includes scheduled review and deletion of expired records.

Privacy Notices

Customers must be informed about the collection, processing, and retention of their personal data for DAC8 purposes. Update your privacy notices to include specific references to DAC8, the categories of data collected, the retention period, and the legal basis for processing.

Practical Recommendations

1. Define your retention schedule. Document the retention period for each category of DAC8 record, based on the requirements of each relevant member state.
2. Automate retention management. Where possible, use automated systems to flag records approaching the end of their retention period and to manage deletion or anonymisation workflows.
3. Segregate DAC8 data. Keep DAC8 compliance data logically separated from other business data to facilitate both retention management and access control.
4. Maintain an audit trail. Record when data was collected, when it was reported, and when it is scheduled for deletion. This supports both compliance audits and GDPR accountability requirements.
5. Conduct periodic reviews. Regularly review your retention practices to ensure they remain aligned with current legal requirements, particularly as national legislation or regulatory guidance is updated.
6. Coordinate with your Data Protection Officer. If your organisation has a DPO, ensure they are involved in the design and review of DAC8 data retention practices.

Getting data retention right protects your organisation from two directions: it satisfies the tax authority's expectation that records will be available for audit, and it satisfies the data protection authority's expectation that personal data will not be kept indefinitely. A well-designed retention policy serves both objectives.