It varies depending upon regulatory and GDPR considerations.
For regulatory considerations it could be 5-7 years, particularly if there is a personal transaction.
For personal information you need to look into the GDPR regulations
Here are the headlines
- You must not keep personal data for longer than you need it.
- You need to think about â€“ and be able to justify â€“ how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
As a rule of thumb you should keep personal information for a maximum of 2 years.