GMDSOFT Data Retention, Deletion Policy
1. Introduction
1.1 This policy sets out the policies and procedures of GMDSOFT (the “Company”) with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.
1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognizes the importance of formulating clear and specific policies in relation to data retention.
2. Definitions
2.1 In this policy:
(a) “Appointed person” means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;
(b) “Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) “Deletion” means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and
(d) “Personal data” means any information relating to a data subject.
3. Data retention, archiving and deletion
3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.
3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:
(a) the fulfillment of any legal or contractual obligations of the company; and/or
(b) the establishment, exercise or defense of any legal claims.
3.3 The company must not delete data to the extent that:
(a) the company has a legal obligation to retain the data;
(b) the retention of the data is reasonably required for the establishment, exercise or defense of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).
4. Default archiving and deletion methods
4.1 Data must be archived by the company specify methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).
4.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).
5. Reviewing and updating this policy
5.1 The appointed person shall be responsible for reviewing and updating this policy.
5.2 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company. 5.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) developments in industry best practice;
(c) any new data processing activities undertaken by the company; and
(d) any security incidents affecting the company.
SCHEDULE 1 (DATA RETENTION PERIODS)
1. Introduction
1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.
2. Customer data: retention, archiving and deletion
2.1 In this policy, “Customer data” means all customer relationship management records relating to the customers of the company, including customer identity details, customer identity evidence and customer contact details.
2.2 Customer data is stored by the company in GMDSOFT data center/server.
2.3 Customer data must be archived daily.
2.4 Customer data must be deleted:
(a) not less than 7 years following the archiving of the data; and
(b) not more than 8 years following that event, subject to subsection 3.3 of the main body of this policy.
2.5 Customer data must be deleted by deleting the backups from the storage medium.
1.1 This policy sets out the policies and procedures of GMDSOFT (the “Company”) with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.
1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognizes the importance of formulating clear and specific policies in relation to data retention.
2. Definitions
2.1 In this policy:
(a) “Appointed person” means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;
(b) “Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) “Deletion” means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and
(d) “Personal data” means any information relating to a data subject.
3. Data retention, archiving and deletion
3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.
3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:
(a) the fulfillment of any legal or contractual obligations of the company; and/or
(b) the establishment, exercise or defense of any legal claims.
3.3 The company must not delete data to the extent that:
(a) the company has a legal obligation to retain the data;
(b) the retention of the data is reasonably required for the establishment, exercise or defense of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).
4. Default archiving and deletion methods
4.1 Data must be archived by the company specify methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).
4.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).
5. Reviewing and updating this policy
5.1 The appointed person shall be responsible for reviewing and updating this policy.
5.2 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company. 5.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) developments in industry best practice;
(c) any new data processing activities undertaken by the company; and
(d) any security incidents affecting the company.
SCHEDULE 1 (DATA RETENTION PERIODS)
1. Introduction
1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.
2. Customer data: retention, archiving and deletion
2.1 In this policy, “Customer data” means all customer relationship management records relating to the customers of the company, including customer identity details, customer identity evidence and customer contact details.
2.2 Customer data is stored by the company in GMDSOFT data center/server.
2.3 Customer data must be archived daily.
2.4 Customer data must be deleted:
(a) not less than 7 years following the archiving of the data; and
(b) not more than 8 years following that event, subject to subsection 3.3 of the main body of this policy.
2.5 Customer data must be deleted by deleting the backups from the storage medium.