Personal data clause: Copy, customize, and use instantly

Introduction

A personal data clause governs the collection, use, processing, and protection of personal data shared under a contract. This clause ensures compliance with data protection laws, defines the responsibilities of each party, and outlines measures to safeguard sensitive information. It is essential for maintaining privacy and avoiding legal risks.

Below are templates for personal data clauses tailored to different scenarios. Copy, customize, and insert them into your agreement.

General personal data clause

This variation applies to agreements with basic personal data handling requirements.

Each party agrees to process personal data in accordance with applicable data protection laws, including [specific laws, e.g., GDPR or CCPA]. Both parties shall implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, use, or disclosure.

Personal data sharing clause

This variation applies to agreements involving the sharing of personal data between parties.

The parties agree that personal data shared under this Agreement shall only be used for the purposes specified herein. Neither party shall disclose such data to unauthorized third parties without prior written consent, except as required by law.

Data controller and data processor clause

This variation applies to agreements defining the roles of data controller and data processor.

[Party A] shall act as the data controller, determining the purposes and means of processing personal data, while [Party B] shall act as the data processor, processing personal data only on documented instructions from [Party A]. Both parties shall comply with their respective obligations under applicable data protection laws.

Personal data breach notification clause

This variation applies to agreements requiring breach notifications.

In the event of a personal data breach, the affected party shall notify the other party within [number] hours of becoming aware of the breach. The notification shall include details of the breach, its potential impact, and any remedial actions taken or proposed.

Cross-border data transfer clause

This variation applies to agreements involving international data transfers.

Any transfer of personal data outside of [region, e.g., the European Economic Area] shall comply with applicable data protection laws, including the implementation of appropriate safeguards such as Standard Contractual Clauses or binding corporate rules.

Personal data retention clause

This variation applies to agreements specifying data retention periods.

The parties agree to retain personal data only for as long as necessary to fulfill the purposes outlined in this Agreement or as required by applicable law. Upon expiration of the retention period, personal data shall be securely deleted or anonymized.

Personal data anonymization clause

This variation applies to agreements requiring anonymized data use.

Any personal data processed under this Agreement shall be anonymized where possible to minimize risks to data subjects. Anonymized data shall not be re-identified without prior written consent from the disclosing party.

Personal data access rights clause

This variation applies to agreements involving data subject access rights.

The parties agree to assist each other in responding to data subject requests, including access, rectification, erasure, or data portability, within the timelines required by applicable data protection laws. Any associated costs shall be borne by [responsible party].

Personal data security measures clause

This variation applies to agreements outlining data protection measures.

Each party shall implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, or loss. Measures include encryption, access controls, and regular security audits.

Personal data usage limitation clause

This variation applies to agreements limiting the scope of data use.

Personal data processed under this Agreement shall only be used for the specific purposes stated herein. The parties agree not to use such data for unrelated purposes without the prior written consent of the disclosing party.

Personal data audit clause

This variation applies to agreements requiring audits of data handling practices.

Each party agrees to permit the other party to conduct periodic audits of its personal data handling practices to ensure compliance with this Agreement and applicable data protection laws. Audits shall be conducted upon reasonable notice and during normal business hours.

Personal data third-party disclosure clause

This variation applies to agreements involving third-party data sharing.

Personal data shall not be disclosed to any third party without the prior written consent of the disclosing party, except as required by law or as necessary to fulfill the purposes of this Agreement. The receiving party shall ensure that any third party complies with equivalent data protection obligations.

Personal data transfer safeguards clause

This variation applies to agreements requiring specific safeguards for data transfers.

The parties agree to implement appropriate safeguards, such as encryption or secure file transfers, when transmitting personal data electronically or physically. Any breach of these safeguards must be reported immediately.

Joint data controllers clause

This variation applies to agreements involving joint data controller responsibilities.

The parties agree to act as joint data controllers for the personal data processed under this Agreement. Each party shall cooperate in fulfilling their respective data protection obligations, including responding to data subject requests and ensuring lawful processing.

Personal data processing agreement clause

This variation applies to agreements requiring a separate data processing agreement.

The parties agree to execute a data processing agreement that governs the handling of personal data under this Agreement. The data processing agreement shall comply with applicable data protection laws and outline roles, responsibilities, and security measures.

Personal data pseudonymization clause

This variation applies to agreements requiring pseudonymized data processing.

Personal data processed under this Agreement shall be pseudonymized where feasible to enhance privacy and minimize risks. The parties agree to maintain the separation of pseudonymized data from identifying information.

Employee personal data protection clause

This variation applies to agreements involving employee data.

The parties agree to process employee personal data in compliance with applicable employment and data protection laws. Employee data shall only be used for purposes related to employment obligations and shall not be disclosed without prior consent, except as required by law.

Personal data incident response clause

This variation applies to agreements requiring incident response plans.

Each party shall maintain an incident response plan to address potential personal data breaches. The plan shall include procedures for containment, investigation, notification, and mitigation of any identified risks.

Personal data regulatory compliance clause

This variation applies to agreements requiring adherence to specific laws.

The parties agree to comply with all applicable data protection regulations, including [specific laws, e.g., GDPR, HIPAA, or CCPA]. Any changes in legislation shall be reflected in the data processing practices under this Agreement.

Personal data encryption clause

This variation applies to agreements requiring encrypted data processing.

All personal data processed under this Agreement shall be encrypted at rest and in transit using industry-standard encryption protocols. Decryption keys shall be securely managed and restricted to authorized personnel.

Personal data destruction clause

This variation applies to agreements specifying data destruction protocols.

Upon termination or completion of this Agreement, each party shall securely destroy all personal data in its possession, unless retention is required by law. A certificate of destruction shall be provided upon request.

Personal data liability clause

This variation applies to agreements defining liability for data breaches.

Each party shall be liable for any damages or penalties resulting from its failure to comply with the personal data obligations under this Agreement. The indemnified party shall provide notice of any claims related to personal data breaches.

Data protection officer notification clause

This variation applies to agreements involving a DPO.

The parties agree to appoint a Data Protection Officer (DPO) to oversee compliance with data protection laws under this Agreement. The DPO’s contact information shall be shared with the other party for ease of communication.

Data subject consent management clause

This variation applies to agreements requiring explicit consent.

The parties agree to obtain and document explicit consent from data subjects before processing their personal data, where required by law. The parties shall maintain records of such consent for auditing purposes.

Personal data compliance training clause

This variation applies to agreements involving staff training.

Each party agrees to provide regular training to its employees and contractors on the proper handling of personal data under this Agreement. Training records shall be maintained and made available for inspection upon request.

Personal data cross-border compliance clause

This variation applies to agreements involving international data transfers and compliance.

The parties agree to ensure compliance with applicable laws governing cross-border transfers of personal data. Transfers shall only occur where adequate safeguards, such as Standard Contractual Clauses, are in place to protect data privacy.

Personal data access restriction clause

This variation applies to agreements limiting access to personal data.

Access to personal data processed under this Agreement shall be restricted to authorized personnel who require it for the purposes specified herein. The parties agree to maintain a record of access and regularly review permissions.

Data breach remediation clause

This variation applies to agreements requiring breach remediation.

In the event of a personal data breach, the responsible party agrees to promptly take all necessary steps to contain and remediate the breach, including notifying affected data subjects if required by applicable law.

Personal data portability clause

This variation applies to agreements involving the portability of personal data.

The parties agree to assist data subjects in exercising their right to data portability under applicable laws. Personal data requested for portability shall be provided in a structured, commonly used, and machine-readable format within [number] days of the request.

Data deletion request clause

This variation applies to agreements addressing data erasure requests.

The parties agree to comply with data subject requests for deletion of personal data, unless retention is required by law. Such requests shall be processed within [number] days, and confirmation of deletion shall be provided upon completion.

Personal data subcontracting clause

This variation applies to agreements involving third-party processors.

The parties agree not to subcontract the processing of personal data to third parties without prior written consent. Any approved subcontractors shall comply with the same data protection obligations set forth in this Agreement.

Children’s personal data clause

This variation applies to agreements involving the processing of children’s data.

Personal data relating to individuals under the age of [age] shall be processed only with verifiable parental consent, where required by applicable laws. The parties agree to implement enhanced safeguards to protect children’s personal data.

Data breach liability allocation clause

This variation applies to agreements defining liability for data breaches.

Each party shall bear liability for damages resulting from its negligence in safeguarding personal data under this Agreement. The indemnified party shall be notified of any claims, and both parties shall cooperate to address potential liabilities.

Personal data minimization clause

This variation applies to agreements emphasizing limited data collection.

The parties agree to collect and process only the minimum amount of personal data necessary to fulfill the purposes outlined in this Agreement. Any unnecessary data shall be promptly deleted or anonymized.

Personal data pseudonymization management clause

This variation applies to agreements requiring the use of pseudonymized data.

The parties agree to implement pseudonymization techniques for personal data wherever feasible. Pseudonymized data shall be stored separately from identifying information, with access restricted to authorized personnel.

Personal data incident reporting clause

This variation applies to agreements requiring the reporting of security incidents.

Each party agrees to notify the other party of any security incidents affecting personal data within [number] hours of discovery. Notifications shall include details of the incident, impact assessment, and proposed remediation measures.

Data processing impact assessment clause

This variation applies to agreements involving high-risk processing activities.

The parties agree to conduct a data protection impact assessment (DPIA) for any processing activities that may pose a high risk to data subjects’ privacy. DPIAs shall be documented and made available to relevant authorities upon request.

Personal data accountability clause

This variation applies to agreements requiring accountability measures.

Each party agrees to document and demonstrate compliance with the personal data obligations under this Agreement. Documentation shall include records of processing activities, training records, and risk assessments.

Personal data notification of changes clause

This variation applies to agreements requiring notification of data policy changes.

The parties agree to notify each other of any material changes to their data protection policies or practices that may impact the processing of personal data under this Agreement. Notifications shall be made within [number] days of the change.

Personal data role reassignment clause

This variation applies to agreements involving changes in data processing roles.

If a party’s role as a data controller or processor changes during the term of this Agreement, the parties agree to execute an addendum reflecting the updated roles and responsibilities, ensuring compliance with applicable laws.

Personal data forensic investigation clause

This variation applies to agreements requiring forensic analysis in case of breaches.

In the event of a suspected data breach, the responsible party agrees to conduct a forensic investigation to determine the cause, impact, and mitigation steps. The investigation findings shall be shared with the other party within [number] days.

Personal data compliance certification clause

This variation applies to agreements requiring compliance certification.

Each party agrees to obtain and maintain certifications demonstrating compliance with applicable data protection standards, such as ISO/IEC 27001 or SOC 2. Proof of certification shall be provided to the other party upon request.

Personal data ownership clause

This variation applies to agreements defining data ownership.

All personal data processed under this Agreement shall remain the property of the data controller. The processor shall have no ownership rights over the data and shall process it solely for the purposes outlined in this Agreement.

Personal data employee monitoring clause

This variation applies to agreements involving monitoring of employee data.

Employee personal data collected under this Agreement shall only be used for lawful purposes, such as performance monitoring or compliance. The parties agree to inform employees of the monitoring activities and obtain their consent where required by law.

Personal data consent withdrawal clause

This variation applies to agreements involving the withdrawal of consent.

The parties agree to honor data subjects’ requests to withdraw consent for personal data processing. Upon receipt of such requests, the responsible party shall cease processing and securely delete the data unless retention is legally required.

Personal data confidentiality clause

This variation applies to agreements requiring strict confidentiality for personal data.

Each party agrees to treat personal data processed under this Agreement as strictly confidential. Personal data shall not be disclosed to any unauthorized individuals or entities without the prior written consent of the disclosing party.

Personal data storage location clause

This variation applies to agreements specifying data storage requirements.

All personal data processed under this Agreement shall be stored within [specific region or jurisdiction] to ensure compliance with applicable data protection laws. The parties agree to notify each other of any changes in storage location.

Personal data accuracy clause

This variation applies to agreements emphasizing data accuracy.

Each party agrees to take reasonable steps to ensure the accuracy and completeness of personal data processed under this Agreement. Data subjects shall have the right to request corrections to inaccurate or incomplete data.

Data anonymization for research clause

This variation applies to agreements involving data anonymization for research purposes.

Personal data used for research purposes under this Agreement shall be anonymized before use. The parties agree not to attempt re-identification of anonymized data without explicit consent.

Personal data disaster recovery clause

This variation applies to agreements involving data recovery plans.

Each party shall maintain a disaster recovery plan to ensure the availability and integrity of personal data in the event of a system failure or data loss. The plan shall include regular backups and secure storage of recovery data.

Personal data vendor assessment clause

This variation applies to agreements involving third-party vendor assessments.

Before engaging third-party vendors to process personal data, the parties agree to conduct due diligence to ensure the vendor’s compliance with applicable data protection standards. Documentation of the assessment shall be maintained for audit purposes.

Data subject notification clause

This variation applies to agreements requiring notification to affected individuals.

In the event of a data breach, the parties agree to notify affected data subjects as required by applicable laws. Notifications shall include details of the breach, its potential impact, and any remedial measures taken.

Personal data training requirements clause

This variation applies to agreements involving staff training.

Each party agrees to provide regular training to employees involved in personal data processing. Training shall cover data protection laws, company policies, and procedures to prevent unauthorized access or breaches.

Data retention schedule clause

This variation applies to agreements defining retention schedules.

The parties agree to maintain a data retention schedule that specifies how long personal data will be retained for each purpose. Retention periods shall comply with applicable laws and be documented for accountability.

Personal data portability collaboration clause

This variation applies to agreements requiring cooperation in data portability.

The parties agree to cooperate in facilitating data portability requests from data subjects. Personal data shall be transferred in a secure and structured format within [number] days of receiving the request.

Personal data lifecycle management clause

This variation applies to agreements requiring oversight of data lifecycle.

The parties agree to implement personal data lifecycle management practices, including secure collection, processing, storage, and destruction of data. Documentation of these practices shall be maintained for compliance purposes.

Data masking clause

This variation applies to agreements involving sensitive data masking.

Sensitive personal data processed under this Agreement shall be masked wherever possible to minimize privacy risks. Access to unmasked data shall be restricted to authorized personnel with a legitimate business need.

Personal data shared responsibility clause

This variation applies to agreements involving shared processing responsibilities.

The parties agree to share responsibility for personal data processing under this Agreement. Each party shall fulfill its respective obligations to ensure compliance with applicable data protection laws.

Personal data deletion certification clause

This variation applies to agreements requiring confirmation of data deletion.

Upon request or termination of this Agreement, the receiving party shall securely delete all personal data and provide a written certification of deletion to the disclosing party within [number] days.

Data breach investigation clause

This variation applies to agreements requiring detailed breach investigations.

In the event of a data breach, the responsible party agrees to conduct a thorough investigation to identify the cause and implement corrective actions. A detailed report of the investigation shall be shared with the other party within [number] days.

Personal data export compliance clause

This variation applies to agreements involving data export controls.

The parties agree to ensure compliance with applicable export controls and restrictions on the transfer of personal data to other jurisdictions. Data transfers shall only occur with prior approval and appropriate safeguards in place.

Personal data user authentication clause

This variation applies to agreements requiring authentication protocols.

Access to personal data processed under this Agreement shall require user authentication protocols, including password protection, multi-factor authentication, and regular credential updates.

Sensitive data protection clause

This variation applies to agreements involving highly sensitive data.

The parties agree to implement enhanced protections for sensitive personal data, including encryption, access controls, and strict audit trails. Unauthorized access or processing of sensitive data is strictly prohibited.

Data breach cost allocation clause

This variation applies to agreements defining financial responsibility for breaches.

In the event of a data breach, the responsible party agrees to bear the costs of remediation, notification, and any regulatory fines. The indemnified party shall cooperate in the remediation process to mitigate damages.

Personal data transparency clause

This variation applies to agreements emphasizing transparency.

The parties agree to maintain transparency regarding personal data processing activities under this Agreement. Data subjects shall be informed of the purposes, legal basis, and methods of processing, as well as their rights under applicable laws.

Personal data encryption management clause

This variation applies to agreements requiring detailed encryption practices.

The parties agree to use encryption for all personal data processed under this Agreement, both in transit and at rest. Encryption keys shall be securely stored, with access restricted to authorized personnel only.

Personal data accountability audit clause

This variation applies to agreements requiring regular audits for compliance.

Each party agrees to participate in regular audits to verify compliance with the personal data obligations under this Agreement. Audit results shall be documented, and any non-compliance issues must be addressed within [number] days.

Data subject complaint handling clause

This variation applies to agreements requiring a process for handling complaints.

The parties agree to establish and maintain a process for handling data subject complaints related to personal data processing. Complaints shall be resolved promptly and in accordance with applicable laws.

Personal data sub-processing approval clause

This variation applies to agreements involving the use of sub-processors.

The processor agrees not to engage any sub-processors without the prior written consent of the controller. Approved sub-processors shall be bound by the same data protection obligations as outlined in this Agreement.

Personal data classification clause

This variation applies to agreements requiring data classification.

The parties agree to classify personal data processed under this Agreement based on its sensitivity and risk level. Classification categories shall guide the application of security measures and access controls.

Personal data transfer compliance clause

This variation applies to agreements involving compliance for cross-border transfers.

All personal data transfers under this Agreement shall comply with applicable international data protection regulations. Where required, the parties agree to implement transfer mechanisms such as Binding Corporate Rules or Standard Contractual Clauses.

Personal data usage reporting clause

This variation applies to agreements requiring periodic data usage reports.

The processor agrees to provide periodic reports detailing the use and processing of personal data under this Agreement. Reports shall include details of processing activities, access logs, and any incidents.

Personal data access revocation clause

This variation applies to agreements requiring revocation of access upon termination.

Upon termination of this Agreement or at the request of the controller, the processor agrees to revoke access to personal data for all authorized personnel and securely delete or return the data as instructed.

Personal data anonymization assurance clause

This variation applies to agreements requiring continuous anonymization.

The processor agrees to anonymize personal data when it is no longer required for the purposes outlined in this Agreement. Anonymized data shall not be re-identified without prior written consent from the controller.

Data subject consent records clause

This variation applies to agreements requiring consent documentation.

The parties agree to maintain accurate records of data subject consents obtained under this Agreement. These records shall be made available for inspection upon request by the other party or relevant authorities.

Personal data incident containment clause

This variation applies to agreements requiring rapid containment of incidents.

In the event of a personal data incident, the responsible party agrees to take immediate steps to contain the incident, including isolating affected systems and mitigating further risks. A full report shall be provided to the other party within [number] hours.

Personal data aggregation clause

This variation applies to agreements involving aggregated data.

Any personal data used for aggregation under this Agreement shall be stripped of identifying information to ensure anonymity. Aggregated data shall only be used for the purposes specified in this Agreement.

Data subject communication clause

This variation applies to agreements requiring communication with data subjects.

The parties agree to cooperate in communicating with data subjects regarding their personal data rights, including responding to access requests, correcting inaccuracies, and addressing concerns within legally required timeframes.

Personal data monitoring clause

This variation applies to agreements requiring continuous monitoring of processing activities.

The processor agrees to implement tools and processes to monitor the processing of personal data under this Agreement. Any deviations from agreed practices shall be promptly reported to the controller.

Personal data security certification clause

This variation applies to agreements requiring certifications for security practices.

The processor agrees to obtain and maintain certifications such as ISO 27001 or SOC 2 to demonstrate adherence to high standards of personal data security. Proof of certification shall be shared with the controller upon request.

Personal data policy alignment clause

This variation applies to agreements requiring policy alignment.

The parties agree to align their data protection policies and practices to ensure consistency in personal data handling under this Agreement. Any updates to policies shall be communicated in advance.

Data minimization enforcement clause

This variation applies to agreements requiring strict data minimization practices.

The parties agree to enforce data minimization principles, ensuring that only the personal data necessary for the purposes outlined in this Agreement is collected and processed.

Personal data audit trail clause

This variation applies to agreements requiring detailed tracking of data access.

The processor agrees to maintain an audit trail documenting all access to and processing of personal data under this Agreement. The audit trail shall be reviewed periodically to ensure compliance and detect any unauthorized access.

Personal data compliance escalation clause

This variation applies to agreements requiring escalation for non-compliance.

Any instances of non-compliance with personal data obligations under this Agreement shall be escalated to the responsible party’s senior management within [number] hours of discovery. Corrective actions shall be implemented promptly.

Personal data transfer transparency clause

This variation applies to agreements requiring clear reporting of data transfers.

The processor agrees to provide detailed records of all personal data transfers, including the purpose, destination, and legal basis for each transfer. These records shall be available for review by the controller or relevant authorities.

Personal data breach notification timeline clause

This variation applies to agreements specifying the exact timeline for breach notifications.

In the event of a personal data breach, the affected party shall notify the other party within [specific number] hours. The notification shall include all relevant details, such as the nature of the breach, affected data, and steps taken to mitigate risks.

Personal data retraction clause

This variation applies to agreements requiring retraction of previously shared data.

Upon the request of the data controller, the processor agrees to retract and cease processing any specified personal data immediately. Proof of retraction shall be provided to the controller within [specific number] days.

Data masking for shared environments clause

This variation applies to agreements involving shared systems or environments.

Personal data stored or processed in shared environments shall be masked to prevent unauthorized viewing. Access to unmasked data shall require explicit written authorization from the controller.

Personal data deletion on termination clause

This variation applies to agreements involving end-of-contract data deletion.

Upon termination of this Agreement, the processor agrees to delete all personal data within [specific number] days unless otherwise instructed by the controller. A certificate of deletion shall be provided upon completion.

Data subject verification clause

This variation applies to agreements requiring data subject identity verification.

The parties agree to verify the identity of data subjects before fulfilling any requests related to personal data. Verification methods shall comply with applicable laws and ensure the security of personal data.

Personal data internal audit clause

This variation applies to agreements requiring internal compliance checks.

Each party agrees to conduct internal audits of their personal data processing activities at least once annually to ensure compliance with this Agreement and applicable laws. Audit reports shall be shared with the other party upon request.

Sensitive data logging clause

This variation applies to agreements requiring tracking of sensitive data access.

Access to sensitive personal data processed under this Agreement shall be logged, with details including the accessing individual, date, and purpose. Logs shall be reviewed periodically to ensure compliance.

Personal data role-based access clause

This variation applies to agreements specifying access limitations.

Access to personal data shall be restricted to personnel with a legitimate need based on their role. The parties agree to review and update access permissions regularly to reflect changes in responsibilities.

Personal data backup and recovery clause

This variation applies to agreements requiring secure data backups.

The processor agrees to implement regular backups of personal data processed under this Agreement. Backup data shall be securely stored and accessible only for recovery purposes in compliance with this Agreement.

Data portability assurance clause

This variation applies to agreements focusing on secure data portability.

The parties agree to ensure secure data portability by using encrypted file transfers and structured formats. The controller shall have the right to request details of transfer security measures used.

Data subject interaction transparency clause

This variation applies to agreements involving data subject communications.

The processor agrees to document all interactions with data subjects related to personal data requests and provide a summary of such interactions to the controller upon request.

Personal data joint liability clause

This variation applies to agreements involving shared liability for breaches.

Both parties agree to share liability for any breaches of personal data caused by joint processing activities under this Agreement. The allocation of liability shall be determined based on the level of responsibility for the breach.

Personal data consent withdrawal tracking clause

This variation applies to agreements requiring records of consent withdrawals.

The parties agree to maintain a log of all consent withdrawals received from data subjects. The log shall include details of the data subject, date of withdrawal, and actions taken to cease processing.

Personal data retention override clause

This variation applies to agreements with conditional retention requirements.

Retention of personal data beyond the specified period is only permitted with explicit written consent from the controller or if legally required. Documentation justifying such retention must be provided upon request.

Third-party data processing compliance clause

This variation applies to agreements involving third-party processors.

Any third-party processors engaged under this Agreement must comply with equivalent data protection standards as outlined herein. The processor agrees to remain fully liable for any non-compliance by third-party processors.

Data retention automation clause

This variation applies to agreements involving automated retention mechanisms.

The processor agrees to implement automated systems to enforce data retention policies. These systems shall securely delete or archive personal data when retention periods expire, in compliance with applicable laws.

Personal data purpose limitation clause

This variation applies to agreements requiring strict adherence to data purposes.

Personal data processed under this Agreement shall only be used for the specific purposes outlined herein. Any additional use requires prior written approval from the controller and documentation of the legal basis.

Data destruction verification clause

This variation applies to agreements requiring confirmation of data destruction.

The processor agrees to provide a detailed report verifying the secure destruction of personal data, including the method used, the date of destruction, and a certification signed by an authorized representative.

Personal data system access logging clause

This variation applies to agreements requiring detailed logs of system access.

All access to systems containing personal data processed under this Agreement shall be logged. Logs shall include details of the user, date, and purpose of access and be retained for at least [specific number] years for auditing purposes.

---

This article contains general legal information and does not contain legal advice. Cobrief is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.