GDPR: Data Retention and Deletion Policy

The TrackingTime Data Retention and Deletion Policy according to the European General Data Protection Regulation (GDPR).

Diego Wyllie avatar
Written by Diego Wyllie
Updated over a week ago

Version History

VERSION

NOTES

DATE

01

New Document

25.05.2018

02

Modifications

15.12.2022

1. PURPOSE OF THE PROCEDURE

Regulation 2016/679, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC (hereinafter, the "GDPR”) intends to guarantee and protect everything related to the processing of personal data, that is, the use of any information of natural persons.

Through this Policy for the conservation of personal data, it is intended to establish guidelines for action relative to determining when the conservation or destruction of the data should be carried out, in order to comply with the demands derived from the duty of quality.

2. SCOPE

This Policy must be observed by TRACKING TIME LLC, (hereinafter, TRACKING TIME), as well as by the companies that process personal data as Data Processor, being applicable to data that are subject to both automated processing as non-automated processing (paper support).

This Policy must be observed by all personnel who handle personal data in the development of their daily activity.

3. OBLIGATIONS OF DELETION OF PERSONAL DATA

3.1. Previous considerations

Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that their retention period is limited to a strict minimum. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. To ensure that personal data is not kept for longer than necessary, the Data Controller must establish deadlines for its deletion or periodic review.

To this end, this Policy must be guided by the Principle of limitation of the period of conservation of section e) of article 5.1 of the GDPR, by virtue of which personal data must be "maintained in a way that allows the identification of the interested parties during no longer than is necessary for the purposes of the processing of personal data”.

This obligation is applicable when TRACKING TIME acts as data controller, but in turn, when it acts as data processor.

In particular, when the entity is considered to be the Data Processor, in accordance with section g) of art. 28.3 of the GDPR, once the contractual provision that gave rise to the order of the treatment has been fulfilled, the personal data must, at the choice of the person in charge, be deleted or returned to the person in charge of the treatment, and the existing copies must also be deleted unless conservation is required. of personal data under the Law of the Union or of the Member States.

3.2 Enabling causes for the deletion of personal data

3.2.1 Termination of the legitimizing condition of the treatment

When they are no longer useful or necessary for the purpose that justified their collection and treatment, or once said purpose has been fulfilled and exhausted, the personal data must be deleted, as long as it is not necessary to proceed to block them for respond to possible liabilities arising from the processing of personal data and for the limitation period thereof provided for in the Law of the Union or of the Member States that applies to the data controller, as set out in section 4.

3.2.2 Exercise of the right of suppression

When the interested party exercises the right to rectification or erasure personal data, provided that any of the following circumstances occur:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

  • the interested party withdraws the consent on which the treatment is based and this is not based on another legal basis;

  • the interested party opposes the treatment in accordance with article 21.1 of the GDPR (right of opposition), and other legitimate reasons for the treatment do not prevail, or the interested party opposes the treatment when it is for direct marketing (article 21.2 of the GDPR);

  • the personal data has been unlawfully processed;

  • the personal data must be deleted for the fulfillment of a legal obligation established in the Law of the Union or of the Member States that applies to the data controller;

  • the personal data that has been obtained in relation to the offer of information society services to children, mentioned in article 8.1 of the GDPR.

In these cases, the personal data must be deleted, as long as it is not necessary to block them to respond to possible responsibilities arising from the processing of personal data and for the limitation period of the same provided in the Union´s Law or of the Member States that applies to the data controller, as set out in section 4.

Notwithstanding the foregoing, the right of deletion will not apply, and therefore the data may continue to be processed by the data controller when the processing is necessary:

  • to exercise the right to freedom of expression and information;

  • for the fulfillment of a legal obligation that requires the processing of data imposed by the Law of the Union or of the Member States that applies to the data controller, for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller;

  • for reasons of public interest in the field of public health in accordance with article 9, paragraph 2, letters h) and i), and paragraph 3;

  • for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, insofar as the right indicated in paragraph 1 could make impossible or seriously impede the achievement of the purposes of such processing, or

  • for the formulation, exercise or defense of claims.

4. MECHANISMS FOR DELETION OF PERSONAL DATA

In the cases in which, in accordance with the above criteria, the duty to delete personal data is concluded, they must be physically eliminated, whether they are in automated or non-automated support:

  • If the data is contained in a non-automated medium, the physical destruction of the documents must be carried out. To this end, it is recommended:

    • The use of document destruction service providers.

    • The use of physical paper destruction tools, such as paper shredders.

    • Optionally, and in the event that the deletion originates from the exercise of the right of deletion, the deletion may take place by delivering said information to the person or persons who own it.

  • If the data is contained in a computerized medium, it will be physically eliminated from the application in the same way, without the use of a logical mark or the maintenance of another alternative file in which the suppression rights are registered being sufficient.

5. LEGAL DEADLINES FOR DATA RETENTION

In the cases in which there is a legal obligation to keep the data for a certain period of time and/or during the prescription periods of the actions that could derive from the activity or service provided, the company will proceed to block the data during the referred deadlines.

The blocked data will remain, solely at the disposal of the Public Administrations, Judges and Courts, for the attention of the possible responsibilities arising from the treatment, during the limitation period of these and/or during the legal periods established for this purpose. Once the indicated deadlines have been fulfilled, the blocked data must be deleted in accordance with what is described in section 4.

To ensure that personal data is not kept for longer than necessary, the data controller must establish deadlines for its deletion or periodic review, in each case, for each processing activity.

To this end, and without prejudice to any other periods that may be provided for in other regulations or circulars that are equally applicable, Annex I contains the periods during which it will be necessary to keep the personal data that has been processed based on of the activity that has cause in the processing of personal data.

But as a general rule, TRACKING TIME undertakes to carry out the deletion of all personal data housed in the different services provided, within a period not exceeding 5 years. Likewise, that period of 5 years is set to carry out the deletion of the invoices issued.

ANNEX I - DEADLINES FOR DOCUMENTATION CONSERVATION

DOCUMENTATION OF A LABOR CHARACTER OR RELATED TO SOCIAL SECURITY

TERM

DESCRIPTION

LEGAL REF.

5 YEARS

Documentation or records or computer media in which the corresponding data have been transmitted that prove compliance with the obligations in terms of placement and employment, affiliation, registrations, cancellations or variations that, where appropriate, occurred in relation to said matters, as well as the contribution documents and supporting receipts for the payment of salaries and the delegated payment of benefits. Add all the contractual documentation: RD 1424/2002, of December 27, which regulates the communication of the content of the contracts and their basic copies, does not establish anything in this regard, so we will analogously apply the previous precept.

Article 21.1 of Royal Legislative Decree 5/2000, of August 4, which approves the consolidated text of the Law on Infractions and Sanctions in the Social Order.

ACCOUNTING AND TAX DOCUMENTATION

TERM

DESCRIPTION

LEGAL REF.

5 YEARS

For commercial purposes: Books, correspondence, documentation and supporting documents concerning your business, duly ordered, from the last entry made in the books, except as established by general or special provisions.

This mercantile obligation extends both to the obligatory books (income, expenses, investment goods and provisions, in addition to the documentation and supporting documents that support the entries recorded in the books (invoices issued and received, tickets, corrective invoices, bank documents , etc.).

Art. 30 of the Royal Decree of August 22, 1885, by which the Commercial Code is published.

4 YEARS

For tax purposes: The accounting books and other mandatory record books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as the documentary supports that justify the entries recorded in the books (including computer programs and files and any other proof that has fiscal importance), must be kept, at least, during the period in which the Administration has the right to verify and investigate and, consequently, to settle the tax debt.

Section 3 (The prescription), Arts. 66 to 70 of Law 58/2003, of December 17, General Tax Law.

Annex II LIMITATION PERIOD FOR INFRINGEMENTS

DATA PROTECTION

TERM

DESCRIPTION

LEGAL REF.

3 YEARS

Infractions will prescribe: - Very serious, after 3 years. - Serious, after 2 years. - Minor, after one year.

Articles 72.1, 73.1 and 74.1 of the Draft Organic Law on Data Protection

INFORMATION SOCIETY AND ELECTRONIC COMMERCE SERVICES

TERM

DESCRIPTION

LEGAL REF.

3 YEARS

Infractions will prescribe:- Very serious, at 3 years.- Serious, at 2 years.- Minor, at 6 months.

Article 45 of Law 34/2002, of July 11, on services of the information society and electronic commerce.

Did this answer your question?