Managing Document and Personal Data Retention
Updated as of: September 19, 2019
Preemptive Love Coalition, a U.S. registered 501(c)3 charitable organization [*corporate name] (“Preemptive Love Coalition,” “we,” “us,” or “our”), has published this Data Retention Policy to inform our users, customers, and website visitors from the European Economic Area (collectively, “Data Subjects”) about how Preemptive Love Coalition processes and retains specific categories of Personal Data (as described below), our retention periods for their Personal Data, our reasoning behind those retention periods, and the minimum standards to be applied when destroying certain types of information within Preemptive Love Coalition.
Purpose and Scope:
Under the terms of the General Data Protection Regulation (the “GDPR”), Preemptive Love Coalition is required to process Personal Data from Data Subjects in a fair manner that notifies Data Subjects of the purposes of the data processing and also to retain the Personal Data for no longer than is necessary to achieve those purposes.
Under these rules, Data Subjects have a right to be informed about how their Personal Data is processed, and this policy is meant to provide Data Subjects with information on our data retention periods or criteria used to determine the retention periods.
This policy applies to all business units, processes, and systems in all countries in which we conduct business and have dealings or other business relationships with third parties. This policy applies to all Preemptive Love Coalition officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers who may collect, process, or have access to data (including Personal Data and/or Sensitive Personal Data, as those terms are defined below). It is the responsibility of all of the above persons to familiarize themselves with this policy and ensure adequate compliance with it.
This policy applies to all records used and maintained at Preemptive Love Coalition, regardless of physical format, including:
Please see the Records Retention Schedule contained in Appendix A to this policy for the amount of time that any paper records and electronic files will be retained by Preemptive Love Coalition. A record must not be retained beyond the Retention Period indicated in the Record Retention Schedule, unless a valid business reason (or a litigation hold or other special situation) calls for its continued retention.
For questions on document retention or if you are unsure whether to retain a certain record, contact our Data Protection Officer (“DPO”), Dane Barnett at email@example.com.
“Personal Data” means any information relating, directly or indirectly, to an identified or identifiable Data Subject, including name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
“Sensitive Personal Data” means any Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Operational Personal Data” means any Personal Data that is used by Preemptive Love Coalition for the purpose of operating its systems and services, including, but not limited to, internal identifiers that Preemptive Love Coalition’s systems and/or services use as references for or to leads, events, clicks, or actions performed by users, customers, and/or website visitors.
“Metric Personal Data” means any Personal Data that is used by Preemptive Love Coalition for the purpose of measuring the performance of its systems and services or the systems and services of Preemptive Love Coalition’s users, customers, and/or website visitors.
“Marketing Personal Data” means any Personal Data that is used by Preemptive Love Coalition or Preemptive Love Coalition’s users, customers, and/or website visitors solely for marketing purposes.
“Contract Duration” is the length of time from the date a contract or agreement is executed between Preemptive Love Coalition and any users, customers, website visitors, or relevant third party and the date that such contract or agreement is terminated.
“Retention Period” is the length of time between the expiration of the Contract Duration and the time when the Personal Data is purged. If the Retention Period is described as “Permanent,” the data type is held indefinitely.
Document Retention Procedure:
As a company, Preemptive Love Coalition is required to retain certain records, usually for a specific amount of time. We must retain these records because they contain information that:
- Serves as Preemptive Love Coalition’s corporate memory;
- Have enduring business value (for example, they provide a record of a business transaction, evidence Preemptive Love Coalition’s rights or obligations, protect our legal interests, or ensure operational continuity; and/or
- Must be kept in order to satisfy legal, accounting, or other regulatory requirements
We must balance these requirements with our statutory obligation to only keep records for the period required and to comply with data minimization principles. Our DPO determines the time period for which the documents and electronic records should be retained. If there is no justification for retaining Personal Data, then those records should be routinely deleted. Information should never be kept “just in case” a use can be found for it in the future. If we want to retain information about Data Subjects to help us to provide better service in the future, we will obtain consent in advance.
Further retention of Personal Data is lawful only when compatible with the purpose(s) for which it was originally collected. In some cases, no separate legal basis will be required: for exercising the right of freedom of expression and information; for compliance with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority vested in Preemptive Love Coalition as a data controller; on the grounds of public interest in the area of public health; for archiving purposes in the public interest, scientific, or historical research or statistical purposes; or for the establishment, exercise, or defense of legal claims.
Erasure of Personal Data:
On a regular basis, we review all data, whether held electronically or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. Overall responsibility for the destruction of data falls to our DPO.
Once a timing decision is made to dispose Personal Data (see Records Retention Schedule contained in Appendix A), the information is deleted, shredded, or otherwise destroyed to a degree proportionate to the information’s value to others and level of confidentiality. Thus, the method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain Sensitive Personal Data shall be disposed of as confidential waste (cross-cut shredded and incinerated; secure electronic deletion); some expired or superseded contracts may only warrant in-house shredding. The Records Retention Schedule defines the mode of disposal. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the DPO subcontracts for this purpose, but the DPO shall fully document and approve the destruction process.
Records which may be routinely destroyed, unless subject to an on-going legal or regulatory inquiry, are:
- Announcements and notices of day-to-day meetings and other events,
- Requests for ordinary information, such as travel directions,
- Reservations for internal meetings,
- Transmission documents, such as fax cover sheets and routing slips that accompany documents, but do not add substantive value,
- Superseded address lists, distribution lists, etc.,
- Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases and day files,
- Stock in-house publications that are obsolete or superseded, or
- Trade magazines, vendor catalogues, flyers, and newsletters from vendors or other external organizations.
In all cases, disposal is subject to any disclosure requirements that may exist in the context of litigation.
Right of Erasure:
Data Subjects have the right, under certain circumstances, to have their Personal Data erased and no longer processed (for more detail, please see our Data Subject Rights Management Policy). This right applies in, for example, the following circumstances:
- Where the Personal Data is no longer necessary in relation to the purposes for which it is/was collected or otherwise processed;
- Where a Data Subject has withdrawn his/her consent or objects to the processing of Personal Data; and
- Where the processing of Personal Data does not otherwise comply with the GDPR.
Breach, Enforcement, and Compliance
The DPO has the responsibility of ensuring that Preemptive Love Coalition’s employees comply with this policy. It is also the responsibility of the DPO to assist with official inquiries from any data protection and/or governmental authority. Any suspicion of a breach of this policy must be reported immediately to DPO. All instances of suspected breaches of this policy shall be investigated and action taken, as appropriate.
Failure to comply with this policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss, damage to Preemptive Love Coalition’s reputation, and personal injury, harm, or loss. Non-compliance with this policy by permanent, temporary, or contract employees or any third parties, who have been granted access to Preemptive Love Coalition’s premises or information, may therefore result in disciplinary proceedings or termination of employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Appendix A: Records Retention Schedule
|Responsibility for Storage
|Controls for Record Protection
|[i.e. Cash Receipts]
|[i.e. Accounting Dept.; DPO]
|[i.e. Level II]
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any Personal Data, especially Sensitive Personal Data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information, such as parties’ names, signatures, and addresses, or which could be used by third parties to commit fraud, but which may not contain any Personal Data. The documents should be cross-cut shredded and then placed into locked garbage containers for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or Personal Data and/or are published Preemptive Love Coalition documents. These should be strip-shredded or disposed of, i.e. through a recycling company and include, for example, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.