EU AI Act Article 19: how long you actually have to keep AI logs

"Keep your high-risk AI logs for six months." That's the usual summary of Article 19 — and it's incomplete in a way that matters.

Six months is the floor, not the answer

Article 19 doesn't say "six months." It says keep the automatically generated logs for a period appropriate to the system's intended purpose, of at least six months. The real duration is driven by what the system is for. If logs need to support an investigation running longer than half a year, deleting at month six isn't compliance — it's a breach.

GDPR doesn't automatically shorten it

The "unless otherwise provided by law" clause is an override, not a duration-setter. People invoke GDPR to shorten retention — usually wrong: a legal obligation to retain is itself a valid basis to hold data. GDPR pushes the other way: don't keep logs indefinitely, minimize the personal data inside them, restrict access.

The duty follows control

Article 19 puts the duty on the provider ; Article 26 mirrors it onto the deployer — each for the logs under their control. In a real deployment, who retains the logs must be settled in the contract. Leave it unwritten and you get the worst outcome: logs deleted early, nobody accountable.

This connects to Article 50 AI disclosure, core obligations for small businesses, and NIST AI RMF -style documentation.