How must personal data be stored to comply with GDPR?

To comply with the General Data Protection Regulation (GDPR), personal data must be stored in a manner that allows identification of individuals only for the necessary duration required for processing. This means organizations should only retain personal data as long as it is relevant and necessary for the purposes for which it was collected. Once the purpose is fulfilled, the data should be discarded or anonymized to prevent unauthorized access and ensure individuals' privacy.

Storing data indefinitely (as mentioned in one of the options) contravenes the principles of data minimization and limited storage outlined in the GDPR, which stress that data should not be kept longer than necessary. Similarly, storing data in unrestricted access formats does not ensure proper security and access controls, risking breaches and unauthorized usage. Obscure formats might enhance privacy to some extent, but they do not fully comply with the legal requirements concerning data retention and purpose limitation as defined by the GDPR.