Policies
PRIVACY POLICY
Procedure for Retention, Destruction, and Anonymization of Personal Information
1. Overview
It is essential to establish a procedure for the retention, destruction, and anonymization of personal information to ensure the protection of individuals’ privacy, comply with personal data protection laws, prevent privacy incidents and security breaches, maintain customer trust, and protect the organization’s reputation.
2. Purpose
The purpose of this procedure is to ensure the protection of individuals’ privacy and to comply with legal obligations related to the protection of personal information.
3. Scope
This procedure applies to the entire lifecycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, retention, destruction, and anonymization of personal data in accordance with legal requirements and best practices for privacy protection.
4. Definitions
-
Personal information: Any data that can directly or indirectly identify an individual.
-
Retention: Secure storage of personal data for the required duration.
-
Destruction: Permanent deletion, elimination, or removal of personal data.
-
Anonymization: A process that modifies personal data so it can no longer, at any time and irreversibly, be used to directly or indirectly identify individuals.
5. Procedure
5.1 Retention Period
5.1.1 Personal information is categorized as follows:
-
Information related to company employees
-
Information related to organization members
-
Information related to clients
5.1.2 Retention periods for each category are as follows:
-
Employees: 7 years after the end of employment
-
Members: Variable depending on the type of personal information
-
Clients: Variable depending on the type of personal information
For more details, refer to the complete inventory of personal data held.
Note: Specific retention periods may apply.
5.2 Secure Storage Methods
5.2.1 Personal data is stored in the following locations: OneDrive, Wix
5.2.2 The sensitivity level of each storage location has been assessed.
5.2.3 These storage locations, whether paper-based or digital, are adequately secured.
5.2.4 Access to these storage locations is restricted to authorized personnel only.
5.3 Destruction of Personal Information
5.3.1 Paper documents must be fully shredded.
5.3.2 Digital personal data must be completely deleted from devices (computers, phones, tablets, external drives), servers, and cloud-based tools.
5.3.3 A destruction schedule must be created based on the established retention period for each data category. Planned destruction dates must be documented.
5.3.4 Destruction must be carried out in such a way that the data cannot be recovered or reconstructed.
5.4 Anonymization of Personal Information
5.4.1 Anonymization should only occur if the organization wishes to retain and use the data for serious and legitimate purposes.
5.4.2 The chosen method of anonymization is as follows: data will be deleted after the retention period.
5.4.3 The remaining data must no longer allow, in any way, the direct or indirect identification of the individuals concerned. Regular assessments of the risk of re-identification must be conducted through testing and analysis to ensure the effectiveness of anonymization.
Note: As of the date of this template, anonymization of personal information for serious and legitimate purposes is not yet permitted. A government regulation must be adopted to establish the criteria and terms.
5.5 Staff Training and Awareness
5.5.1 Regular training must be provided to employees regarding the procedures for retaining, destroying, and anonymizing personal data, as well as the risks related to privacy breaches.
5.5.2 This also includes raising staff awareness of best practices for data security and the importance of following established procedures.
Last updated: February 1, 2025