(1) Each credit institution and provider of safe custody services must keep the records specified in paragraph (2) for a period of five years beginning with the date of the closure of the account or safe-deposit box.
(2) The records are a copy of any document or information needed in order to respond to a request made under this Part.
(3) Once the period referred to in paragraph (1) has expired, the credit institution or provider of safe custody services must delete any personal data retained for the purposes of these Regulations unless -
(a) the relevant person is required to retain records containing personal data -
(i) by or under any enactment, or
(ii) for the purposes of any court proceedings;
(b) the data subject has given consent to the retention of that data; or
(c) the relevant person has reasonable grounds for believing that records containing the personal data need to be retained for the purpose of legal proceedings.