The keeping of data imposes an obligation on the Controller to keep the data safe, not to keep the data for longer than is necessary for that purpose and to ensure that the appropriate notifications and action steps are taken in the event of a breach.