GDPR vs MiFID II (Record-Keeping vs. Personal Data Protection)

Overview

Either during or after the Sales Process, we often hear our compliance users attempting to reconcile the requirements of data retention mandates of MiFID II, with the strict personal data protection rules of GDPR.

On one hand, MiFID II and its companion regulation MiFIR require firms to “save everything”, recording and storing extensive transactional and communications data for years.

On the other hand, the EU’s General Data Protection Regulation (GDPR) enshrines individuals’ “right to be forgotten”, mandating that personal data not be kept longer than necessary. This apparent conflict invites the question: Is it possible to fully comply with both MiFID’s record-keeping rules and GDPR’s data privacy requirements?

This article delves into what the regulations actually say for both regimes and explores how firms can balance the two. We will look at the specific requirements in the EU and UK, discuss whether these rules truly conflict, and highlight strategies (and regulator guidance) for achieving compliance with both.

MiFID II/MiFIR Record-Keeping Requirements

MiFID II and MiFIR impose specific record-keeping obligations on financial institutions. Investment firms must record and retain all business communications and trading records for extended periods. For example, MiFID II explicitly requires firms to record telephone conversations and electronic communications related to client orders or trades, and to keep these records for a minimum of five years (extendable to seven years at regulatory request). In practice, this means emails, voice calls, chat messages, and meeting notes that pertain to transactions or client orders must be stored on durable, tamper-proof media for at least five years.

"The records kept in accordance with this paragraph... shall be kept for a period of five years and, where requested by the competent authority, for a period of up to seven years.”

Notably, MiFIR’s transaction reporting rules oblige firms to collect and report sensitive personal data about traders and clients, such as national identification numbers, passports, and dates of birth, to regulators for market oversight. These data points are considered personally identifiable information (PII) under data protection laws, yet MiFID/MiFIR require their collection to detect market abuse and ensure transparency.

These EU requirements have been mirrored in UK regulations as well. Following Brexit, the UK adopted equivalent rules: the FCA’s SYSC 10A and related record-keeping provisions also demand that firms record in-scope communications and retain them for five years (or up to seven years on request). 

GDPR Data Protection Obligations

In contrast to MiFID’s “save-everything” approach, the General Data Protection Regulation (GDPR) takes a privacy-first stance on personal data. GDPR applies to any personal data (information relating to an identified or identifiable individual) processed by organisations, including the client and employee data that financial firms handle for compliance.

Data & Storage Minimisation

Several core principles of GDPR are directly relevant to the record-keeping discussion. First, the principle of data minimisation means firms should only collect personal data that is adequate, relevant, and limited to what is necessary for the purpose. Second, the principle of storage limitation (Article 5(1)(e)) says personal data shall be kept “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. In other words, you shouldn’t retain personal data indefinitely “just in case” – you need a defined purpose and timeframe. This is why GDPR drives organisations to implement data retention policies and to delete or anonymise personal data once it’s no longer needed.

RIGHT TO ERASURE

Perhaps the most well-known GDPR provision is the “right to erasure” (Article 17), often called the “right to be forgotten.” This gives individuals the right to request deletion of their personal data in certain circumstances - for instance, if the data is no longer necessary, or if the individual withdraws consent. At face value, this right could be seen as clashing directly with MiFID II’s requirement to retain records for years. One could imagine a client asking a brokerage to erase their personal details, while the firm is obliged under MiFID to keep those very records for regulatory reasons.

EXCEPTIONS

GDPR, however, does recognise that not all data can be deleted on request – there are important exceptions to the right of erasure. Specifically, Article 17(3) exempts data from deletion when processing is necessary for compliance with a legal obligation. Likewise, GDPR’s principle of lawfulness (Article 6) provides specific legal bases under which personal data can be processed – one of which is when “processing is necessary for compliance with a legal obligation to which the controller is subject”. In plainer terms, if another law requires you to retain certain data, then complying with that law is a lawful basis for holding and processing that personal data under GDPR.

This point is crucial for reconciling GDPR with MiFID II.

CONFLICT OR COMPATIBILITY?

On the surface, MiFID II and GDPR seem to be at odds.

The latter enshrines "right to erasure", champions proportionate collection, and the avoidance of unnecessary retention of PI data. The former tells financial institutions to collect and retain as much relevant data as possible about transactions and communications for a lengthy period.

For example, MiFID II says firms must keep voice recordings and emails for at least five years, whereas GDPR’s ethos would suggest deleting personal data as soon as it’s no longer needed. MiFID II/MiFIR require capturing clients’ passport numbers or national ID codes for trade reporting, yet GDPR treats that information as highly sensitive and subject to strict protection. The popular summaries of each regulation capture the contrast well: MiFID II – “store everything about customers’ financial transactions for five years,” vs. GDPR – “individuals have the right to be forgotten.”

The key to resolving the tension lies in understanding the legal basis and scope.

GDPR doesn’t flatly prohibit data retention; rather, it requires that retention of personal data have a valid justification.

MiFID II provides that justification by law. 

If a firm is obligated under MiFID/MiFIR to retain certain data, then under GDPR, this falls under “necessary for compliance with a legal obligation”. Additionally, GDPR’s right to erasure is not absolute – a firm can legitimately refuse an erasure request if the data must be retained to comply with a financial regulation or other legal duty.

RECONCILING THE REQUIREMENTS

To harmonise and justify elements of MiFID II informing decisions whilst abiding by the overall requirements of GDPR, firms should document and procedurise the following;

Use “Legal Obligation” as the Lawful Basis

Clearly document that the personal data you retain for MiFID II compliance (call recordings, trade logs with client details, etc.) is being processed under the GDPR basis of legal obligation. Article 6(1)(c) GDPR explicitly permits processing that is necessary for compliance with a law.

This means you do not need consent to record calls or keep customer identifiers for five years; in fact, seeking consent would be inappropriate because you have a legal duty. Instead, inform individuals (e.g. via privacy notices) that their data will be retained to meet regulatory requirements. By anchoring your processing on this legal basis, GDPR effectively “green-lights” the data retention mandated by MiFID II.

Apply Right-to-Erasure Exceptions

If a client or employee asks to have their data erased, evaluate whether any of that data is subject to ongoing MiFID/MiFIR retention obligations. GDPR Article 17(3) says the right to erasure does not apply if processing is necessary for compliance with a legal obligation.

In practice, a firm should be prepared to explain that it cannot delete certain records for X years due to financial regulations. For example, a trader cannot demand that their transaction history be wiped after a year, because the firm is legally required to hold it for at least five years. Importantly, this is not a “violation” of GDPR; it is an explicit exemption within GDPR. Regulators encourage firms to be transparent about this reality. 

Data Minimisation in Practice

Even within the scope of MiFID II’s requirements, collect and retain only the personal data that is actually needed to satisfy the rules. MiFID/MiFIR spells out what information is required (e.g. the client’s official identifier for a transaction report). Firms should avoid any tendency to “over-collect” extra personal data beyond what the regulation mandates.

Unnecessary data not only breaches GDPR’s minimisation principle but also increases risk. Stick to what the regulation explicitly requires – for example, if MiFIR mandates a national ID or a concatenation of name and birthdate for a trader’s ID, choose the appropriate option but don’t collect additional personal details “just in case”. By minimising data, you reduce your GDPR exposure while still fully complying with MiFID II obligations.

Retention Schedules & Deletion

MiFID II provides a minimum retention period (five years, extendable to seven), but not an indefinite one. Once that period expires, GDPR’s normal rules reassert themselves fully. Firms should have processes to delete or anonymise personal data once the regulatory retention period is over, unless another valid legal reason justifies continued retention.

In other words, holding data longer than necessary can violate GDPR unless you have a new lawful basis. A best practice is to align your internal data retention schedule with MiFID II timelines; for instance, automatically purge or archive records after five (or seven) years unless an investigation, litigation hold, or another regulation requires a longer retention.

Notably, other financial regulations follow this pattern as well: the UK’s Money Laundering Regulations, for example, require customer due diligence records to be kept for 5 years, after which the personal data must be deleted unless it needs to be retained by law or for legal proceedings. By disposing of data once it is no longer needed for its original purpose, you demonstrate accountability under GDPR and reduce the risk of breaches or unauthorised use down the line.