WS3: Data Lifecycle Closure Data lifecycle closure reconciles the AI Act’s ten-year documentation retention with the GDPR’s storage limitation principle for each data category. Training data containing personal data: delete or anonymise at decommission unless a specific retention justification exists (pending litigation, regulatory investigation); retain metadata, provenance records, and statistical summaries for ten years. Inference logs containing personal data: apply the PMM data retention policy; logs whose retention period extends beyond decommission transfer to archive storage for scheduled deletion. Monitoring and PMM data: retain aggregated non-personal data for ten years; anonymise or delete personal data per the retention policy. Model artefacts and embeddings: archive for ten years (no personal data concern unless the model memorises training data, in which case the risk assessment determines treatment). The DPO Liaison verifies that all personal data scheduled for deletion has been removed from all storage locations: primary databases, backup systems, caches, derived datasets, and any third-party systems. The verification is documented and signed by the DPO Liaison. The deletion verification methodology from applies. Key outputs

• Per-data-category retention/deletion decision
• AI Act ten-year retention reconciled with GDPR storage limitation
• DPO Liaison signed deletion verification
• Module 4 AISDP documentation