Retention Policy

1.

Purpose

We hold personal data about our Users/Subscribers when using Services offered through our Websites, where data is provided by the use of a computer or other compatible device/systems during any registration process. The effective date of this Retention Policy is 20/03/2018.

For our SAAS systems, this policy only applies to the tenants and those who we interact with directly. Data processed by our subscribers/tenants is under their control and you must refer to their policies.

This policy ensures that necessary digital information is adequately protected, and that our Users/Subscribers understand the rules governing the use, retention and destruction of their personal information, when such are collected by Heidi Computers Ltd., and are no longer needed, all in accordance with our Terms of Service (TOS), Privacy Policy and in compliance with the General Data Protection Regulation (GDPR).

2.

Definitions

Personal Data: Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Means any operation or group of operations which are performed on personal data or on groups of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consent of the Data Subject: Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Retention: Means the storage of your personal information in our database and servers for the period indicated in Section 4.2 to this Policy.

Data Destruction: Means the total erasure of your personal information from our database and servers, and the total destruction of your personal printed information on our files, as indicated in Section 4.3 to this Policy.

3.

Types of Data Covered by this Policy

The information covered by this policy is:

  • Name including first and last name;
  • Email address;
  • Mobile phone number and contact details;
  • Billing address and ZIP/Postal code;
  • Financial information (like debit or credit card numbers);
  • Other information as per our registration process, including any other means by which you provide personal information to us.

4.

Our Procedures

We process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we do not process personal data unless the individual whose details we are processing has consented to this.

We ensure the reasonable use of personal data using at least one of the conditions for its processing and this will be specifically documented and supported. All staff who are responsible for processing personal data will be aware of the conditions for such processing. The conditions for processing are available to data subjects in the Privacy Policy.

4.1

Procedure for Ensuring that Data is Properly Retained:

  • In cases where data is stored on printed paper, this is kept in a secure place where unauthorised personnel cannot access it.
  • Data stored on a computer is protected by secure passwords which are changed regularly. We encourage all staff to use a password manager to create and store their own passwords.
  • Data stored on CDs or memory sticks is securely locked away when they are not being used.
  • Servers containing personal data are kept in a secure location, away from general office space.
  • Data is regularly backed up in line with the company’s backup procedures.
  • Data is never saved directly to mobile devices such as laptops, tablets or smartphones.
  • All servers containing sensitive data are approved and protected by security software and strong firewalls.

4.2

Procedures for ensuring that Data is properly Destroyed (Right to be Forgotten and Erasure):

Upon request, we will remove/block your personally identifiable information from our database, thus cancelling your registration. However, your information may remain stored on our servers (in archives) for a period of ninety (90) days after you have withdrawn your consent as specified above.

After 90 days, your personally identifiable information will be discarded, as follows:

  • Electronic data will be erased from our database, links and servers.
  • Printed data will be shredded.
  • Backups will be recycled.

4.3

Exception:

We will exceptionally keep your personal information for more than 90 days, after you have withdrawn your consent as specified above, in the event of:

  • Existence of any litigation, criminal investigation, exercise or defense of legal claim, that prohibits or suspends the data destroy;
  • Exercising the right of freedom of expression and information;
  • Compliance with legal obligations or when performing a task carried out for public interest, or in the exercise of any official authority;
  • A public interest being involved in reference to public health; or
  • Filing purposes of public interest, scientific or historical research purposes or statistical purposes in so far as the data destroyed is likely to render impossible, or seriously impair the achievement of the objectives of such processing.

5.

Compliance

Failure on the part of our employees or our contract staff to follow this policy can result in possible civil and criminal sanctions against our Organisation and its employees or contract staff and possible disciplinary action against responsible individuals. In accordance with the General Data Protection Regulation (GDPR), we will periodically review that these procedures are complied with and any new or revised regulation at the time in force.