Data retention policy
Data retention policy
By law, the data subject must be informed, at the time of collection, how long the retention period will be for their personal data.
The default maximum data retention period for any personal data that we collect by consent will be 6 months. If you feel you need to store this data for a longer period of time (e.g., customer billing data), you must present a business case for the longer retention period and obtain written approval from the DPO.
Make retention periods for personal data collected by consent shorter than the default maximum retention period, if possible.
The retention period for personal data we collect under a lawful basis other than consent will be determined by the DPO when the DPO classifies the lawful basis of processing that data. See the data collection policy for details. In most cases, such personal data should be stored until the lawful basis for the processing is no longer valid. For example, when a customer's contract expires, we should remove their billing information. We may, in some cases, decide to retain personal data on an indefinite basis, or until the data subject makes an erasure request. For example, we may decide to retain indefinitely a record of the product(s) that the customer subscribed to, and for what period(s).
On or before the day that the retention period expires, you must securely delete the data immediately and inform the DPO via email that this deletion has been performed.
Any personal data we collect must also record the date on which it was collected, along with its retention period; and both that date and the retention period must "travel" with the data wherever it goes, including the case where pieces of the data are unbundled.
If you notice any personal data that we have collected which does not include either the original recording date or the retention period, inform the DPO immediately.
If you notice any personal data that we have collected which is past its rentention date, inform the DPO immediately.
If you wish to extend the initial retention period for any personal data, you must:
- explain the business need to the DPO;
- obtain written approval from the DPO;
- inform the data subject(s) of our wish to extend the initial retention period, including the reasons why we wish to extend the retention period; and
- obtain explicit consent from each data subject before the expiry of the original retention period.
Only when all of these conditions are met can you extend the retention period of that personal data. The new retention period should be recorded, in log style, in addition to the original retention period and any previous extensions agreed.
If data previously recorded is updated (right to rectification, accuracy principle), the date of the update must be recorded, in log style, in addition to the initial date of the recording and any previous updates. Note that a data update does not extend the retention period unless the data subject has explicitly authorized an extension as part of the update.