Data retention policy.
Introduction.
his policy sets out my obligations regarding the retention of your personal data that I’ve collected and processed according to the EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). This Policy sets out the types of personal data I hold, the periods for which that personal data is to be retained, the criteria for establishing and reviewing such periods, and when and how it is to be deleted or otherwise disposed of.
The aims of this Policy are:
- To set out limits for the retention of personal data;
- to ensure that those limits, as well as your other rights including the right to erasure, are complied with;
- to ensure that I comply fully with my obligations and safeguard your rights
- and to improve the speed and efficiency of managing data. This Policy will be considered effective as of January 01, 2021.
- No part of this Policy will have retroactive effect and therefore it can only apply to matters happening on or after this date.
The scope.
Storage in my own systems.
When I store information in my own systems, only the people who need it have access. My partners, contractors and other collaborators have access to only what they need to do their job and sign a confidentiality agreement before gaining access to your data. The computers we use are all protected by a passcode or fingerprint access. These computers ask for authentication whenever they’re started or after 5 minutes of inactivity. Our mobile devices are also protected by a fingerprint or facial recognition.
- Computers permanently located in the Company’s premises in Aneby, Jönköping, Sweden.
- Laptop computers, tablets and other mobile devices provided by the Company to its employees;
- Computers and mobile devices owned by employees, agents, and contractors;
- Physical records stored in in the Company’s premises in Aneby, Jönköping, Sweden;
Storage in third-party services.
Where I store your information in third-party services, I restrict access only to people who need it. I store passwords in Dropbox Vault, an encrypted password manager, use a different, randomly generated password for each service, and two factor authentication whenever possible.
- Third-party servers, operated by Krystal Hosting Ltd. and located in London, United Kingdom.
- Third-party servers, operated by Gandi SAS, located in Paris, France.
- Cloud storage, operated by Filen Cloud Dienste located in Recklinghausen, Germany.
- CDN and video streaming by BunnyWay d.o.o in Medvode, Slovenia.
- Project Management System operated by Notion, located in Denver, Colorado, USA.
- Accounting and tax platform operated by Bokio, located in Stockholm, Sweden.
- Invoicing platform operated by Fiskl Limited, registered in the United Kingdom.
- Email inboxes and other folders, operated by Fastmail Pty Ltd, in Victoria, Australia.
- Calendar and bookings operated by Cal.com, Inc., located in San Francisco, California, USA.
- Virtual call software operated by MeetButter ApS, located in Copenhagen, Denmark.
Data retention.
It is very important for me to respect your data privacy, for this reason I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When deciding what the correct time is to keep the data for I look at its amount, nature and sensitivity, potential risk of harm from unauthorized use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. Different types of personal data, used for different purposes, will necessarily be retained for different periods, and its retention periodically reviewed.
Considerations for retention:
- My objectives and requirements of the authorities
- The type of personal data;
- The purpose(s) for which the data is collected, held, and processed;
- My legal basis for collecting, holding, and processing that data; and
- The category or categories of data subject to whom the data relates.
The data retention periods I adhere to are:
- For tax purposes the law requires me to keep basic information about my customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
- For legal reasons I am required to keep contracts for six years after the termination of the contract.
- Email inbox, recycle bins, downloads, and deleted emails for one year after the termination of the contract.
- Personal network drive, Local drives and files, and cloud storage for one year after the termination of the contract.
- Call recordings, Live chat history, and other communication records for six years after the termination of the contract.
- Prospect data, CRM data, Customer complaints for five years.
- Data protection requests for five years.
- If you leave a comment on my website, the comment and its metadata are retained indefinitely. This is so I can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
- For users that register on my website (if any), I also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
In some circumstances I may anonymize your personal data for research or statistical purposes in which case I may use this information indefinitely without further notice to you. Regardless of the previously defined retention periods, certain personal data may be deleted or disposed of before the expiry of its defined retention period, be it in response to a request by you or for other internal reasons.
Data erasure.
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. You have the right to have your personal data erased, and to prevent the processing of that personal data, in the following circumstances:
- When the personal data is no longer required for the purpose for which it was originally collected or processed;
- When you withdraw your consent;
- When you object to the processing of your personal data and there is no overriding legitimate interest;
- When the personal data is processed unlawfully. i.e. in breach of the GDPR; or
- When the personal data has to be erased to comply with a legal obligation.
Data disposal.
When the data retention periods listed before expire, or when you exercise your right to have your personal data erased, it will be deleted, destroyed or disposed of as follows:
Personal data stored electronically (including any and all backups) will be permanently deleted; and Personal data stored in hardcopy form will be shredded and securely disposed of.
This privacy policy borrows heavily from Suzzane Dibble’s template from her GDPR training materials.