Microsoft Purview Data Lifecycle Management for Small Businesses in Berlin
Most organisations focus their data protection efforts on preventing unauthorised access to sensitive information. Fewer manage the other half of the data protection obligation: ensuring that information that should no longer exist is systematically deleted. GDPR Article 5(1)(e) — the storage limitation principle — requires personal data to be kept no longer than necessary for the purposes for which it was collected. Microsoft Purview Data Lifecycle Management provides the retention labels, retention policies, and records management capabilities to meet this obligation at scale — automatically, across all Microsoft 365 workloads, without manual intervention.
This guide explains how retention labels and policies work, how they interact with sensitivity labels and eDiscovery, and how Berlin businesses can implement a compliant data lifecycle programme in Microsoft 365.
What Is Data Lifecycle Management?
Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance) is the Microsoft 365 capability for managing content at end-of-life: how long to retain it, when to delete it, and how to declare it as an immutable regulatory record that cannot be deleted before a defined date.
It operates through two complementary mechanisms:
- Retention policies: container-level rules applied to entire workloads (all Exchange mailboxes, all SharePoint sites, all Teams chats) without touching individual items. They are applied in bulk and require no per-item action
- Retention labels: item-level rules applied to individual documents, emails, or Teams messages. Labels can be applied manually by users, automatically by content analysis (keyword, sensitive information type, trainable classifier), or by event trigger (a contract label triggers a retention period when a client account is closed)
Retention Policies: Workload-Level Governance
Retention policies are the first layer of data lifecycle governance — broad rules that ensure no content falls through the regulatory cracks. They are configured in the Microsoft Purview compliance portal and applied to:
- Exchange mailboxes (all users, specific users, or all shared mailboxes)
- SharePoint sites (all sites, specific sites, or all OneDrive accounts)
- Microsoft Teams channel messages and private chats
- Viva Engage (Yammer) community messages
- Microsoft Loop and Copilot interactions
A retention policy defines a retention action (retain only, delete only, or retain-then-delete) and a retention period. The most common configuration for GDPR compliance:
| Workload | Retention Action | Period | Regulatory Basis |
|---|---|---|---|
| Exchange (employee mailboxes) | Retain then delete | 3 years | HGB § 257 (business correspondence) |
| Exchange (invoices/contracts) | Retain then delete | 10 years | HGB § 257 (commercial books and records) |
| SharePoint (general) | Retain then delete | 5 years | GDPR storage limitation + operational necessity |
| Teams channel messages | Retain then delete | 3 years | Business communication retention |
| Teams private chats | Retain then delete | 1 year | GDPR data minimisation |
Retention Labels: Item-Level Precision
Retention labels allow differentiated treatment of content within the same workload. A SharePoint site might contain both marketing materials (delete after 2 years) and legally signed contracts (retain for 10 years as records). A retention policy cannot distinguish between these — retention labels can.
Labels can be applied through three mechanisms:
Manual application: users apply labels in Outlook, SharePoint, and OneDrive from a label picker. This is appropriate for high-value documents that require intentional record declaration (contracts, board resolutions, regulatory filings).
Auto-apply policies: the system automatically applies a label to content matching a condition. Conditions include: specific keywords (e.g., “Vertrag” or “Auftragsbestätigung” in a document), sensitive information types (e.g., German personal ID number, IBAN), or trainable classifiers (e.g., “legal agreement” or “financial statement” classifiers trained on document samples).
Event-based retention: the retention period starts when an event occurs, not when the content was created. For example, a client contract label starts a 7-year retention period when the corresponding client account is marked as closed in the system — not when the contract was signed. This is the correct model for compliance with German commercial retention requirements (HGB) where the retention period runs from the last business event, not from document creation.
Records Management and Immutable Records
When a retention label is configured as a regulatory record, the labelled item becomes immutable: it cannot be modified, moved, or deleted — even by global administrators — until the retention period expires. The Purview audit log records every attempt to alter a regulatory record. This is the highest level of data protection and is appropriate for documents that must be preserved for legal or regulatory reasons: audit reports, signed contracts, GDPR processing activity records under Article 30.
Disposition review is the workflow that runs at the end of a retention period: instead of automatically deleting content, a disposition review notifies designated reviewers who can approve deletion, extend the retention period, or re-label the item before deletion. This is required when the decision to delete cannot be fully automated — for example, legal files where a case might still be open at the scheduled deletion date.
Integration with Sensitivity Labels
Sensitivity labels and retention labels serve different but complementary functions: sensitivity labels control access and encryption; retention labels control lifecycle. They can be combined: a document can carry both a Confidential sensitivity label (encrypting it and restricting sharing) and a 7-year retention label (preventing deletion for the required period).
Auto-apply retention label policies can target content already carrying a sensitivity label: for example, automatically apply a 10-year retention label to any item labelled “Highly Confidential — Legal”. This integration between Microsoft Purview Sensitivity Labels and data lifecycle management eliminates the need for manual record declaration on high-value sensitive content.
Integration with eDiscovery and Legal Hold
When legal proceedings require preserving specific content beyond its scheduled deletion date, Purview eDiscovery holds override retention delete actions. A Preservation Hold placed on a mailbox or SharePoint site prevents any content from being deleted — regardless of retention policy delete actions — until the hold is released. The hold is invisible to users: they see normal mailbox and SharePoint functionality, but no content is permanently deleted while the hold is active.
For Berlin businesses that receive litigation hold notices or regulatory investigation requests, this integration between data lifecycle management and eDiscovery ensures that standard retention-based deletion does not destroy potentially relevant evidence once a legal hold obligation arises.
GDPR Storage Limitation Compliance
GDPR Article 5(1)(e) requires personal data to be kept in identifiable form no longer than necessary. Retention policies address this at the workload level; retention labels address it at the item level. Together they provide the technical mechanism to demonstrate storage limitation compliance under GDPR Article 5(2) (accountability principle): you can show regulators an audit log of when specific items were deleted, by which policy, and what reviewer approved the disposition.
The Purview compliance portal’s Data lifecycle management dashboard shows retention policy coverage across all workloads, labels applied to content, and upcoming disposition reviews — providing the documentation baseline for a GDPR data lifecycle audit.
Implementation Steps for Berlin Small Businesses
- Microsoft Purview compliance portal → Data lifecycle management → Retention policies → New retention policy
- Create a baseline “retain all Exchange mail 3 years then delete” policy and apply to all mailboxes
- Create a “retain all SharePoint content 5 years then delete” policy and apply to all SharePoint sites
- Create a “Teams messages 1 year delete” policy for Teams private chats and 3-year policy for channel messages
- Create retention labels for specific content types: “Legal Contract — 10 years”, “Tax Record — 10 years”, “General Correspondence — 3 years”
- Publish labels to Exchange, SharePoint, and OneDrive — enable manual application by users
- Configure auto-apply policy: apply “Legal Contract” label to items containing keywords “Auftragsbestätigung”, “Vertrag”, or sensitive information type “Contract” classifier
- Configure disposition reviews for records labels: assign the data controller or legal lead as the reviewer for items scheduled for deletion
Data lifecycle management works in direct partnership with Microsoft Purview DLP — DLP prevents inappropriate sharing of personal data while data lifecycle management ensures it is deleted when no longer needed. Both capabilities are configured in the same Microsoft Purview compliance portal, and both contribute to Compliance Manager improvement actions under GDPR, ISO 27001, and German data protection regulatory templates.