ePrivacy Regulation, Article 7, Storage and erasure of electronic communications data.
1. The provider of the electronic communications service shall erase electronic communications content or make that data anonymous when it is no longer necessary for the purpose of processing in accordance to article 6 (1) and 6a (1).
2. Without prejudice to points (b), (c) and (d) of Article 6 (1), points (c), (d), (e), (f), point (g) of Article 6b, Article 6c and points (b) to (g) of Article 8 (1) the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of providing an electronic communication service.
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6b (1), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged, or a payment may be pursued in accordance with national law.
4. Union or Member state law may provide that the electronic communications metadata is retained, including under any retention measure that respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security, for a limited period. The duration of the retention may be extended if threats to public security of the Union or of a Member State persists.
Note: This is not the final text of the ePrivacy Regulation. This is the text of the ePrivacy Regulation Proposal of the Council of the European Union from 10.2.2021.