GDPR requires that personal data is deleted once it’s no longer needed for the reasons it was originally collected. Organisations have to follow strict data retention policies, making sure they don’t hang on to personal info longer than necessary. Individuals also get a say, with a “right to be forgotten” (Article 17), meaning they can ask for their data to be erased if certain conditions apply. These could be things like the data no longer being needed, if consent was taken back, or if the info was handled unlawfully. Regular check-ups and audits of how long data is kept are crucial to stay on the right side of GDPR rules.