Data Retention and Deletion Policy

1. Introduction:

This Data Retention and Deletion Policy outlines the principles and guidelines for retaining and deleting personal data held by our organization. The policy ensures that we comply with legal obligations, optimize data storage, protect the privacy of individuals, and maintain data quality. It applies to all personal data processed by our organization, regardless of the format in which it is held.

2. Scope:

This policy applies to all employees, contractors, and third-party service providers who handle personal data on behalf of our organization. It covers all personal data stored on electronic media as well as any physical records.

3. Retention Period:

Personal data shall be retained only for as long as necessary to fulfill the purposes for which it was collected, as well as to satisfy any legal, accounting, or reporting requirements. The retention period for personal data will be a minimum of 12 months and a maximum of 24 months from the date of collection, unless a longer retention period is mandated by law or regulation.

4. Criteria for Retention and Deletion:

The following criteria will be used to determine the retention period of personal data:

• Purpose of Data: Data will be retained based on the purpose for which it was collected and processed. Once the purpose has been fulfilled, the data will be reviewed for deletion.

• Legal and Regulatory Requirements: Any statutory or regulatory requirements for data retention will be adhered to. This includes retaining data for tax purposes, compliance with employment laws, or any other legal obligations.

• Litigation and Claims: Data may be retained for longer periods if it is necessary for the establishment, exercise, or defense of legal claims.

• Consent: Where data retention is based on the individual's consent, the data will be retained for the period for which consent was given, unless the individual withdraws consent earlier.

​

5. Deletion Procedures:

Upon the expiration of the retention period, personal data will be securely deleted or anonymized, so it can no longer be associated with an individual. The deletion will be performed in a manner that ensures the data cannot be reconstructed or read.

The following deletion procedures will be implemented:

• Electronic Data: All electronic files containing personal data will be permanently deleted from all systems, including backups and archives.

• Physical Records: Any physical documents containing personal data will be shredded or otherwise destroyed to ensure the data cannot be reconstructed.

• Third-Party Data Processors: We will ensure that any third-party service providers who process personal data on our behalf are contractually obligated to adhere to our data retention and deletion guidelines.

​

6. Data Retention Audit and Review:

The Data Retention and Deletion Policy will be audited regularly to ensure compliance with legal obligations and to reflect any changes in our operational requirements. The audit will include a review of the retention periods and the effectiveness of the deletion procedures.

7. Policy Updates:

This policy may be updated periodically to reflect changes in legal requirements, technological advancements, or organizational practices. All stakeholders will be informed of any significant changes to the policy.

8. Responsibility and Enforcement:

The responsibility for enforcing this policy lies with the Data Protection Officer (DPO) or designated privacy team. All employees and data processors are required to understand and adhere to this policy. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract.

9. Questions and Concerns:

Any questions or concerns regarding this policy or its implementation should be directed to the DPO or the privacy team.

By implementing this Data Retention and Deletion Policy, our organization demonstrates its commitment to responsible data management and the protection of individual privacy rights.