Why monitoring data has no single retention period
The most common retention policy in employee monitoring deployments is no policy at all: data accumulates until storage costs or an audit forces the question. The second most common is one blanket number — “we keep everything 12 months” — which fails in both directions. It keeps screenshots and behavioural logs far longer than any defensible purpose under the DPDP Act 2023 or GDPR, and it deletes timesheets that Indian company and tax law require you to preserve for years.
The fix is to recognise that a monitoring stack produces legally distinct data categories. A screenshot, an app-usage signal, an aggregated team report and a payroll-feeding timesheet have different purposes, different legal anchors and therefore different clocks. Once you split them, the “how long” question stops being a debate and becomes a table — the one in section three.
There is also an incentive truth worth stating: every retained record is simultaneously a regulatory exposure, a breach blast radius and a discovery liability in employment disputes. Retention is not a feature you maximise. It is a cost you justify, category by category.
What do DPDP, GDPR and payroll laws each require?
Three regimes pull on the same data, in different directions.
DPDP Act 2023 pulls retention down. Section 8(7) requires a data fiduciary to erase personal data once the specified purpose is no longer being served, unless retention is required by law. The draft DPDP Rules 2025 go further and make erasure operational: for certain large platforms they prescribe time-bound erasure after a defined period of user inactivity, with advance notice to the individual before deletion. Even where those specific triggers do not bind an employer directly, they signal the enforcement pattern the Data Protection Board is likely to expect — a defined trigger, a notice, then deletion that actually happens. Confirm the final rule text with counsel.
GDPR pulls retention down, without giving you a number. Article 5(1)(e) — storage limitation — says personal data may be kept no longer than necessary for the purpose, and Article 5(2) makes you accountable for proving it. European supervisory authorities have repeatedly sanctioned employers for indefinite or poorly justified retention of monitoring data. If you serve EU clients from India, your monitoring stack inherits this principle through contracts and adequacy mechanisms.
Records law pulls a narrow slice up. Section 128(5) of the Companies Act 2013 requires books of account — which payroll and billing records feed — to be preserved for eight financial years. Income-tax record expectations run roughly six years from the end of the relevant assessment year, and longer where proceedings reopen. Labour registers under state Shops and Establishments Acts and wage rules carry their own multi-year windows, commonly around three years but state-specific. Separately, India’s CERT-In directions of April 2022 require ICT system logs to be retained for 180 days. None of these laws require — or excuse — keeping screenshots or behavioural logs. All of this is fact-specific; verify with counsel.
How long should each monitoring data type be kept?
These are working benchmarks for an India-headquartered team with EU client exposure — defensible starting points to take to counsel, not statutory maxima or minima. Shorter is almost always easier to defend than longer for behavioural categories.
| Data type | Benchmark retention | Why this number | Legal anchor (verify with counsel) |
|---|---|---|---|
| Raw screenshots / screen recordings | 30 days — or disable capture | The only operational purpose (resolving a dispute about a session) expires within weeks; risk compounds with every stored image | DPDP s.8(7) purpose limitation; GDPR Art. 5(1)(e) |
| Activity & app-usage signals | 90 days | Covers one quarter of coaching and planning conversations; older signals stop changing decisions | DPDP s.8(7); GDPR Art. 5(1)(e) |
| Idle / focus session logs | 90 days | Same decision window as activity signals — no reason for a longer clock | DPDP s.8(7); GDPR Art. 5(1)(e) |
| Aggregated team reports (de-identified) | 12 months | Enables year-over-year capacity planning without person-level data | Outside personal-data scope only if genuinely de-identified — test this assumption |
| Attendance & leave registers | ~3 years | Labour registers face multi-year inspection windows | State Shops & Establishments Acts; wage rules (state-specific) |
| Timesheets feeding payroll / billing | 8 years | They become part of the books of account once invoiced or paid against | Companies Act 2013 s.128(5); income-tax record expectations (~6 years from end of assessment year) |
| Consent & notice records | Employment + ~3 years | You must be able to prove lawful processing through the limitation period for claims | DPDP ss.5–6; Limitation Act 1963 |
| Security / access logs (ICT systems) | 180 days minimum | Indian cyber-incident rules set an explicit floor for ICT logs | CERT-In Directions under s.70B IT Act (April 2022) |
Two readings of this table matter. First, the spread is enormous — 30 days to 8 years — which is exactly why a blanket period fails. Second, the long clocks attach only to records that exist for payroll, tax and labour compliance. Nothing on the long side requires behavioural surveillance data, ever.
Reconciling the conflict: split statutory records from behavioural data
The apparent contradiction — “DPDP says erase, the Companies Act says keep” — dissolves once you stop storing the two kinds of data in the same bucket. The reconciliation rule is segregation:
- Define the statutory record precisely. What the Companies Act protects is the approved timesheet total that fed an invoice or a payroll run — hours, project, approver, date. It does not protect the screenshots, keystroke-adjacent signals or app logs that sat behind the number.
- Export the statutory record at approval time. The moment a timesheet is approved, the durable record (the total) moves to the books-of-account system on its 8-year clock.
- Let the behavioural layer expire on its own clock. The activity signals that informed the timesheet keep their 90-day retention and are deleted on schedule. DPDP’s “retention required by law” exception covers the exported total — it does not stretch to cover the raw signals underneath it.
- Write the schedule into the employee notice. DPDP Sections 5 and 6 require notice of purpose; a retention column per data category is the cheapest credibility you can add to that notice, and it is what a Data Protection Impact Assessment reviewer asks for first.
Key figures for the file — the most serious DPDP violations carry penalties up to INR 250 crore as prescribed in Schedule 1, and GDPR principle breaches (including storage limitation) can attract fines up to 4% of global annual turnover. Both regimes are fact-specific and penalties depend on circumstances — verify exposure with counsel.
Enforce it with auto-deletion, not an annual cleanup
A retention schedule that depends on a human remembering to purge data is a schedule you will fail. The audit question is never “what does your policy say” — it is “show me that the 91-day-old activity log no longer exists.” Manual cleanups fail that test for predictable reasons: the responsible admin changes roles, exports proliferate into spreadsheets, and the one quarter nobody ran the purge becomes the quarter of the breach.
This is where tooling choice becomes a compliance control. gStride implements retention as per-category clocks: activity signals, focus-session logs and aggregated reports each carry their own configurable period, deletion executes automatically at expiry, and statutory exports (approved timesheet totals for payroll and billing) are separated from the behavioural layer so the 8-year clock never becomes an excuse to hoard 8 years of activity logs. Because the schedule is configuration rather than policy prose, the same screen that sets it can be cited in your DPDP notice and your DPIA. Most monitoring tools — Hubstaff, Time Doctor, Teramind, ActivTrak among them — offer some retention or data-deletion settings; what to check in procurement is whether retention is per data category, whether deletion is automatic rather than ticket-driven, and whether the vendor will state the behaviour in writing. Confirm current capability directly with each vendor.
If you are drafting the surrounding paperwork, pair this schedule with the DPDP consent and notice template and the workplace DPIA guide — retention is one row in both documents.
Frequently asked questions
How long can you keep employee screenshots under the DPDP Act?
The DPDP Act 2023 sets no fixed day count; Section 8(7) requires erasure once the purpose is served unless retention is required by law. Because the practical purpose of a screenshot — resolving a dispute about a work session — expires within weeks, 30 days is a defensible working benchmark, and disabling screenshot capture entirely removes the question. Longer windows need a documented purpose. Verify with counsel.
Do the DPDP Rules 2025 set a fixed retention period for monitoring data?
Not for employers specifically. The draft DPDP Rules 2025 introduce erasure triggers — including time-bound erasure after user inactivity for certain large platforms, with advance notice before deletion — and they reinforce that data fiduciaries must erase personal data once the purpose is served. The pattern to copy is the mechanism: a defined trigger, a notice, then automated deletion. Confirm the final rule text and applicability with counsel.
Why keep timesheets 8 years when activity logs are deleted in 90 days?
Timesheets that feed payroll and client billing become part of your books of account, and Section 128(5) of the Companies Act 2013 requires books of account to be preserved for eight financial years; income-tax record expectations run roughly six years from the end of the relevant assessment year. Raw activity signals never enter the books — their purpose is coaching and planning — so DPDP purpose limitation pulls them down to about 90 days. Verify with counsel.
Does GDPR set specific day counts for monitoring data retention?
No. GDPR Article 5(1)(e) states the storage-limitation principle — keep personal data no longer than necessary for the purpose — and leaves the number to the controller, who must justify it. EU supervisory authorities have repeatedly faulted employers for indefinite or unjustified retention of monitoring data. A schedule with explicit day counts per data category is the standard way to demonstrate compliance. Verify with counsel.
What happens if we keep monitoring data with no retention schedule?
You accumulate risk on three fronts: regulatory exposure (DPDP Schedule 1 prescribes penalties up to INR 250 crore for the most serious violations; GDPR fines can reach 4% of global turnover for principle breaches — both fact-specific, verify with counsel), breach blast radius (every stored screenshot is exposed in an incident), and discovery burden (old behavioural data is discoverable in employment disputes). Retention without a schedule is a liability, not an asset.
How does gStride enforce retention automatically?
Retention is configured per data category, not as one global setting: activity signals carry their own clock, aggregated reports another, and statutory exports are separated from behavioural data so payroll record-keeping never becomes a reason to hoard activity logs. Deletion runs automatically when each clock expires, and the configured schedule can be referenced directly in your DPDP employee notice.
See per-category auto-deletion in one demo
Bring this retention table to a 15-minute walkthrough — we will configure each clock live, show the deletion log, and export the schedule text for your DPDP notice. Then model your penalty exposure for free.
Disclaimer: This article is general information, not legal advice. Retention benchmarks are working starting points, not statutory periods; DPDP Rules 2025 provisions referenced were in draft at the time of writing, and record-keeping requirements vary by state, sector and facts. Vendor capabilities are summarised from public documentation as of June 2026 and change over time. Verify every retention period, penalty figure and contract term with qualified counsel before acting.