Introduction
This data retention policy outlines the responsibilities of VPN99 (“us/we/our”) regarding the retention, review, and destruction of data in our possession or control. The policy applies to our entire organization, including our officers, employees, agents, and subcontractors, detailing retention periods and circumstances under which data may be deleted.
Objectives
To facilitate our business operations, it is essential to retain and process certain information. We may store data in the following locations:
- our own servers;
- third-party servers;
- potential email accounts;
- desktops;
- employee-owned devices (BYOD);
- potential backup storage;
- physical files.
This policy governs both paper and electronic data storage methods. Retention periods begin only when records are closed.
We are obligated by various legal requirements, ensuring that personal data is collected and used fairly, stored securely, and not unlawfully disclosed under the General Data Protection Regulation (“the Regulation”).
The Regulation defines “personal data” as any information that pertains to an identified or identifiable natural person (data subject); such individuals can be identified directly or indirectly through identifiers like names, identification numbers, location data, online identifiers, or specific attributes related to their physical, physiological, genetic, mental, economic, cultural, or social identities.
This policy establishes the procedures for managing personal data while we strive to comply with the Regulation. In brief, the Regulation mandates that all personal data should be:
- processed lawfully, fairly, and transparently concerning the data subject;
- collected for specific, explicit, and legitimate purposes and not further processed in ways that contradict those purposes; further processing for archiving in the public interest, scientific or historical research, or statistical purposes does not conflict with the initial purposes;
- adequate, relevant, and limited to what is necessary for the processing purposes;
- accurate and kept up to date, with reasonable measures taken to rectify or erase any inaccurate personal data promptly;
- stored in a form that allows for identification of data subjects only for as long as necessary for the intended processing purposes; longer storage is permissible when data is solely for archiving in the public interest, scientific or historical research, or statistical purposes, provided appropriate technical and organizational measures are implemented to safeguard data subject rights;
- processed securely to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
The Fourth and Fifth Data Protection Principles stipulate that data should not be retained longer than necessary for its processing purpose and must be deleted once it is no longer needed, while ensuring data remains adequate, relevant, and limited to its processing purposes.
Hence, this policy should be considered alongside our relevant policies, including our data protection policy and IT security policy.
Security and Storage
All data and records are securely stored to prevent misuse or loss. We will process all personal data in accordance with our IT Security Policy [OR implement appropriate security measures against unlawful or unauthorized processing of personal data, as well as accidental loss or damage to personal data].
We will establish procedures and technologies to ensure the security of all personal data from collection until destruction. Personal data will only be transferred to a data processor after they agree to adhere to those procedures and policies or if adequate measures are in place.
To maintain data security, we will protect the confidentiality, integrity, and availability of personal data, which are defined as follows:
- Integrity refers to the accuracy and suitability of personal data for its intended processing purpose.
- Availability indicates that authorized users can access the data as needed for approved purposes.
Retention Policy
Data retention involves keeping data for specific periods and backup purposes. We will not retain personal data longer than necessary, recognizing that the duration may vary based on different types of documents and data for which we are responsible. As a general guideline, our data retention period will be five years. Specific data retention periods are outlined below.
| Type of data | Type of data subject | Type of processing | Purpose of processing | Type of recipient to whom personal data is transferred | Retention period |
|---|---|---|---|---|---|
| Customers | Personal Data | Electronic | Necessary | IT | 5 years |
| data | Essential for providing intended services | ||||
| Business contacts | Personal Data | Electronic | Essential for providing intended services | IT | 5 years |
| Employees | Personal Data | Electronic | Legal requirements | HR | Retain and verify currency |
| Sensitive data | Financial information and unique identifiers | Electronic | Online payment systems | IT | 5 years |
Occasionally, it may be necessary to retain or access historical personal data under specific circumstances, such as contractual agreements or involvement in unforeseen events like litigation or business disaster recovery.
Destruction and Disposal
Upon reaching the end of our retention periods, we will delete confidential or sensitive records categorized as requiring high or very high protection, and either delete or anonymize less critical documents.