Data Retention Policy - June 2023
Data Retention Policy
HYPR Corp has adopted the following policy relating to the retention and destruction of HYPR’s documents and data and the documents and data of the operations of all of its subsidiaries, worldwide (collectively “HYPR”, “Company” or “we”).
This Data Retention Policy (“Policy”) provides guidance regarding the proper storage and timely destruction of all information, data and documents, regardless of format, generated in connection with the Company’s business. As described in greater detail below, special provision is made for the long-term retention of information, data and documents that are of particular commercial, legal or other institutional value to the Company.
The owner of this document is the Data Protection Manager of HYPR.
These guidelines are reviewed annually by the Data Protection Manager and the Chief Operating Officer and may also be reviewed and updated continuously, if deemed necessary by the Data Protection Manager and the Chief Operating Officer.
Each Business Area/Subsidiary will list the systems used by such Business area/Subsidiary, the Personal Data such systems contain, the retention periods for such data and the person responsible for keeping the retention periods. The Data Protection Manager will keep a summary of all systems within HYPR.
If you have any questions about this Policy or the Company’s data protection practices, please contact:
Attention: HYPR Policy Inquiries
Address: 1001 6th Ave, 10th Fl, New York, NY, 10018
For the purposes of this Policy, the following capitalized terms have these definitions:
“Data” means information which is stored electronically, on a computer, or in certain paper-based filing systems;
“Employee” means a HYPR employee, unless otherwise specified, including independent contractors if and as applicable, and all other members of staff.
“GDPR” means the General Data Protection Regulation, (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (including as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018).
“Personal Data” means any Data relating to an identified or identifiable natural person (“Data Subject”). An identifiable Data Subject is one who can be identified directly from the data (or indirectly using other information available to HYPR), in particular by reference to an identification number or one or more factors specific to physical, physiological, mental, economic, cultural or social identity, and for the purposes of this Policy includes Special Categories of Personal Data;
“Processing” means any operation or set of operations which is performed upon Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a third party entity which is Processing Personal Data on behalf of HYPR.
“Special Categories of Personal Data”, or “Sensitive Personal Data” means Personal Data consisting of information as to the racial or ethnic origin of the Data Subject, his/her political opinions, his/her religious beliefs or other beliefs of a similar nature, whether he/she is a member of a trade union, his/her physical or mental health or condition, his/her sexual life or sexual orientation, the commission or alleged commission by him/her of any offence, or any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.
2. GENERAL POSITION REGARDING RETENTION AND ERASURE
In accordance with applicable law, including but not limited to the GDPR, Personal Data may not be kept longer than necessary with regard to the purposes of the Processing, i.e. when the purpose of the Processing of the Personal Data has been fulfilled, the Personal Data shall be erased, unless legal requirements apply to the retention of that Personal Data. There are two different ways to erase Personal Data:
(i) by anonymization of Data; or
(ii) by destruction of Data.
Anonymization of Personal Data means permanent erasure of all information that can identify a natural person or transformation of such Personal Data so that it no longer in any way can be backtracked to a natural person. Anonymized data must be stripped of any identifiable information, making it impossible to derive insights on a discrete individual, even by the party that is responsible for the anonymization. When done properly, anonymization places the processing and storage of personal data outside the scope of the GDPR. Encrypted personal data and token are not anonymous as long as someone can make the information readable and thereby identify the person.
Destruction of Personal Data means to ensure that the Data cannot be recovered. It is important to understand what technical measures are required to ensure that the Personal Data is truly destroyed – either reformatting or total overwriting of the information. Ordinary formatting may not fully erase all the information; special equipment or a specific computer software may be required to erase all of the information. The level of sophistication of the technical solutions depends on the sensitivity of the data.
The manner in which the erasure in HYPR’s systems/services technically should be carried out shall be agreed between the Data Protection Manager, Chief Technology Officer and VP of Engineering to be executed by the respective IT Departments to which the erasure pertains.
If storing of Personal Data or other data processing activities are taking place within a system that is provided by a service provider (i.e. as a Software as a Service ("SaaS") or as part of a Business Process Outsourcing ("BPO")) it must be verified and agreed with the service provider how erasure of Personal Data shall be made. HYPR (data controller), or one of HYPR’s service providers (data processor), shall erase the personal data of HYPR. If the service provider shall erase the information, the undertaking to do so shall be included in a written agreement entered into with the service provider.
3. Mandatory Compliance
3.1 Responsibility of all Employees.
HYPR strives to comply with the laws, rules and regulations that govern it and with recognized compliance practices. All employees must comply with this Policy, the Schedules and any related communications. Failure to do so may subject HYPR, its employees and contract staff to serious civil and/or criminal liability. An employee’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination.
4. WHERE IS PERSONAL DATA FOUND?
It is important to have an overview of where Personal Data can be found within HYPR. This may include:
- own servers;
- third party servers;
- email accounts;
- employee-owned device (Bring Your Own Device or “BYOD");
- backup storage; and/or
- paper files.
The Data Protection Manager, in conjunction with the Chief Operating Officer and VP of Engineering will work with the IT department to maintain accurate maps of the Personal Data that is being processed and the data flows within and between the entities within HYPR.
5. ROUTINES FOR ERASURE
5.1 Roles and Responsibility
For each system/service used by HYPR where Personal Data is Processed, a Directly Responsible Individual (“DRI”) within HYPR shall be appointed and be responsible for the retention and erasure of Personal Data processed in that system/service (to be documented by the Data Protection Manager, in conjunction with the Chief Operating Officer and VP of Engineering).
The DRI appointed is typically the department lead for each Business Area/Subsidiary but in some cases, it is the VP of Engineering or Data Protection Manager.
When procuring new IT systems/services from external service providers or developing new systems in-house, the one procuring the external system/service or requesting/sponsoring the in-house development shall be responsible for ensuring that requirements on retention and erasure are included in the system/service specification. The Data Protection Manager shall be consulted where needed.
Some IT systems automatically erase the Personal Data that is processed in the system, i.e. Personal Data is only retained for a specific time period. HYPR shall strive to procure IT systems that support automatic erasure. In cases where automatic erasure is not possible, HYPR shall ensure that Personal Data shall be erased manually within a proper time period.
Personal Data that does not need to be accessed regularly, but which still needs to be retained, should be safely archived, put offline or held in an encrypted/pseudonymised form.
Pseudonymisation is the separation of data from ‘real world’ identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymisation, therefore, may significantly reduce the risks associated with Processing Personal Data, while also maintaining the data’s value. Although pseudonymous data will still be considered Personal Data by the GDPR, this is an important tool to be used when storing Personal Data for an extended period.
5.2 Retention Period Guidelines
For certain categories of Personal Data, there are legal requirements, industry standards and recommendations which govern or indicate applicable retention periods. The attached Schedules contain a non-exhaustive list for each applicable country of recommended and/or mandatory retention periods for a selection of processes related to HR and customer relationships. The list may serve as guidance when determining retention periods for these categories of data within HYPR in the relevant countries.
As mentioned, if there is a legal requirement that information is to be retained for a certain amount of time (e.g. accounting and bookkeeping legislation may prescribe specific retention periods that must be observed), the legal requirement takes precedence over this Policy. However, Personal Data relating to individuals based in the European Economic Area or United Kingdom must be retained or destroyed in compliance with the GDPR, regardless of where that Personal Data is Processed, and the local laws and requirements for the jurisdiction in which that Personal Data is Processed.
5.3 Retention Periods
The tables set out in the attached Schedules state certain recommended retention periods which should be used when defining the retention periods for each system/service used by HYPR. The Data Protection Manager shall be consulted when needed.
As the Personal Data shall be erased when the purpose for which they were collected is fulfilled, different Personal Data in a single system may need to be erased at different times if the system/service contains Personal Data which has been collected for different purposes.
As the requirements to retain the Personal Data vary pursuant to national legislation, Personal Data in a single system/service may need to be erased at different times depending on the country in which the HYPR company is incorporated.
If data is processed and stored in a completely anonymous form, the data will not be deemed Personal Data and is therefore not required to be destroyed from a GDPR perspective (the data may for instance be relevant to keep for statistics purposes).
If some of the systems/services below are provided by a Processor (e.g. as is typically the case when using SaaS solutions), HYPR has to ensure, by way of contractual clauses, that such third party vendor complies with these guidelines and HYPR needs to provide and follow up on instructions provided to the third party as regards the retention/erasure requirements.
6. Exceptions to the retention periods
Under certain limited circumstances, exceptions to the retention periods apply:
- Litigation holds: Personal Data may be retained for as long as reasonably necessary to defend legal claims; consult with the legal department regarding appropriate limitation periods.
- “Right to be forgotten”: If a Data Subject exercises their right to be forgotten, for example when withdrawing their consent, then Personal Data should be deleted if there is no other legal ground to process such Personal Data. Where consent has been withdrawn, deletion may likely still be required, even if the Personal Data could have been processed on the basis of legitimate interest (instead of the now withdrawn consent) since it is evident that the Data Subject would object to such processing. However, if there is a legal obligation to hold the Personal Data, then this must be observed (but the processing of Personal Data should be restricted to this purpose only).
- The data subject’s consent/withdrawal of consent (incl. opt-out): The applicability of the guidelines may be affected where the Data Subject has consented to a longer retention period than that which is set out in the Schedules attached. This requires a clear consent from the Data Subject at the time when the Personal Data was collected, and the Data Subject must have been informed of the purposes of the processing of his or her Personal Data. However, a consent to retain Personal Data indefinitely or for a very long time is likely not valid. Also, consents from employees are often not regarded as freely given and therefore not valid – we must ensure that the employee has a real option (without negative consequences for the employee) to choose to consent or not. Furthermore, if the person withdraws consent (including to opt-out from receiving direct marketing), the Personal Data may need to be deleted where no other legal ground is applicable for the purpose of retaining the Personal Data.
- Statistical purposes: Personal Data may be stored for a longer period than is necessary for the initial purpose insofar as the Personal Data will be processed solely for statistical purposes and subject to appropriate safeguards. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation. If anonymization is sufficient to achieve the purpose, then this shall be used instead.
Guidelines: Retention Periods – UK EXAMPLE
According to UK data protection legislation, including the UK Data Protection Act 2018, and the GDPR, personal data shall be erased (destroyed or anonymized) as soon as the purpose for which the data was collected has been fulfilled. Thus, it is vital for a Processor to know from which sources personal data processed within the organization have been collected and the purpose of the processing.
As for HR-related information, there are several laws and regulations which govern how an employer shall administer its business, e.g. with respect to salary reporting to HM Revenue & Customs, certain aspects of health and safety, administration of sick leave, etc. In order for the employer to abide by these legal requirements, the employer must have access to certain personal data related to the employee for a certain time period. The table below is intended to serve as support in the inventory of all HR related personal data processing undertaken by a company and/or in the drafting of a registry of the personal data processing within HR. The table lists provisions in different HR related laws and regulations which contain requirements related to an employer’s processing of data pertaining to its employees and the time periods for which such data may be processed. The table also lists some general processing areas and advises on how the company shall approach erasure of personal data collected for different purposes.
Although less guidance is available for retention of personal data outside of an HR context, the table below also includes a few guidelines regarding credit rating, customer relationships and marketing.
Please note that this list is not exhaustive and that it shall serve solely as general guidance. If a single set of data may be attributable to more than one process set out below, the longest retention period may be applied for that particular data.
|Personal Data and Processing
|General HR data
|Any data which is collected to administer an employment and which is not specifically covered below, such as name, age, gender, next of kin contact details, all personal data processing pertaining to the employee’s email account, grades, CV, references, etc.
|HR data shall be erased six years after the employee leaves his or her employment.When employment is terminated, there is normally no reason to keep information about the employee on the company’s website. The information shall therefore be removed within a reasonable time, typically within one month. The employee’s emails may be archived for a period of six years, or longer if legally required.
|Receipt of work applications. Applications may be submitted to the company or through a recruitment agency. Data typically processed in connection herewith is name, CV, interview notes, etc. Occasionally, tests are performed where the test results are kept by the employer.
|Personal data in an application, interview notes and information from references may be kept as long as they are relevant in the recruitment process. The data shall thereafter be erased. The employer may however keep the data as long as an applicant who has not been hired may take legal action, e.g. if he/she wants to appeal a decision to hire another applicant. The applicant’s consent is required if the employer wishes to keep data for a longer period for future recruitments. Generally speaking, unsuccessful applicants have six months to bring a claim under various UK discrimination laws, although these time limits can be extended in certain circumstances.Thus, the conclusion is that it is likely permitted to keep personal data which is processed for recruitment purposes for twelve months after an applicant has been notified that he or she did not get the position. A longer retention period than twelve months will be permitted if the applicant has consented to this in connection with the submittal of the application. The information text to which the applicant consents shall contain information on how long the company will keep the application documents, e.g. for two years.
|Absence – Maternity leave, Parental Leave and the care of a sick child
|Receipt of notification and registration of employees’ taking of parental leave and care of sick child days.
|Information on parental leave and the care of a sick child should be kept until the child is 18 years old. Information on maternity leave should be retained for three years after the end of the tax year in which the maternity period ends (the Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended).
|Absence – Vacation
|Registration of employees’ vacation day outtake and payment of vacation pay.
|This data should be kept for two years and erased upon the expiry of that period.
|Absence – Sick Leave
|Registration and administering employees’ sick leave.
|Records should be retained for at least 3 months after the end of the period of sick leave in case of a disability discrimination claim.
|Absence – Administration of rehab for employees
|Registering and administration of rehab for employees and follow-up related hereto.
|Personal data shall be erased 6 years following the termination of employment.
|Absence/Injury – Report of work-related injury/incident
|Reporting of work-related injury and incident to managers and safety officers, accident books, accident records/reports.
|The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) (SI 2013/1471), and the UK Limitation Act 1980, require UK organisations to retain reports of work-related injury/incidents for a period of three years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). Special rules apply concerning incidents involving hazardous substances.
|Finance – Accounting records
|Accounting records explaining transactions.
|Section 388 of the Companies Act 2006, require private UK companies to retain accounting records for a period of 3 years.
|Finance – Administration of occasional pension payments
|Administration and payment of occupational pension to employees.
|All documents relating to a pension scheme should be retained for the tax year to which they relate and for six years following the end of the tax year.
|Finance – Payroll
|Administration of salary payments, wage/salary records (including overtime, bonuses, expenses).
|Six years from the financial year to which they relate (Taxes Management Act 1970).
|Finance – National minimum wage records
|National minimum wage records
|Three years after the end of the pay reference period following the one that the records cover (National Minimum Wage Act 1998).
|Finance – Records relating to working time
|Records relating to working time.
|Two years from the date on which they were made (the Working Time Regulations 1998 (SI 1998/1833)).
|Finance – The Tax Authorities
|Mandatory HR related reporting, such as income statements, tax deduction, NI returns, attendance records, correspondence with HM Revenue and Customs etc.
|Accounting records should be kept not less than three years after the end of the financial year to which they relate.
|Development and planning – Skills and competency database
|Registration of employees’ skills and competencies.
|It is necessary to make a distinction between the following two situations:1. During the employment:
Data may be processed on an on-going basis during the term of the employment. However, it may not be kept for an unforeseeable future. If an employee has been employed by the company for decades, it is not reasonable that skills and appraisals from ten years back are stored in the database. It is therefore necessary to erase data at set intervals during the term of the employment, tentatively every six years.2. Upon termination of employment:Six years after employment ceases.
|Development and planning – Appraisals and performance measuring
|Registration of protocol for appraisals and performance measuring.
|Six years after employment ceases.
|Development and planning – Succession planning
|The right of priority list for personnel.
|Six years after employment ceases.
|Collection of background information in relation to the termination of an employee, termination documentation, negotiation protocols from negotiations with the union.
|Six years after the date of termination.The employer may retain factual information pertaining to the employment after the termination of the employment, such as “employment terminated due to redundancy”, “dismissal” and “termination for personal reasons” and grades and employment certificates with appraisals that the employer has given to the employee.
|Processing of personal data pertaining to individual consultants in order to administer the work performed by the consultant.
|Six years after services cease to be provided.
|Miscellaneous – examples of other types of HR related processing of personal data.
|Benefit portals, travel planner for work-related travel, logging of employees’ use of work computer, access control system, CCTV, preventive health care, etc.
|Personal data shall be erased six years after employment ceases.Remember to check legal requirements and consider how the company’s business is structured to ensure that all processing within HR is covered and that all such data is erased within the stipulated time frame.
|Personal Data and Processing
|Processing of personal data pertaining to an existing or potential customer for direct marketing actions directed at such individual.
|Personal data may be retained for the period specified at the point of collection, until the individual opts out or until HYPR becomes aware that the data is inaccurate.
|Administration of customer relationship, e.g. delivery of goods and/or services, communication with customer, complaints, warranty obligations, etc.
|The company may process personal data pertaining to a customer while there is an on-going relationship with that customer. Once the relationship has ended, e.g. because the goods/services have been delivered and fully paid for or the customer has exercised its right to withdraw from the contract, the data should be erased. Please see information above on company’s right to use personal data of previous customers for direct marketing purposes.If the company has a warranty obligation towards the customer, the company should keep the data for the period in which customer may invoke such warranty. Upon the expiry of the warranty period, the company should erase the data.
|Inactive user account
|Processing of personal data pertaining to an inactive user.
|Over the course of time, some users will become inactive or unresponsive. An email or other appropriate communication should be sent after 12 months of inactivity asking the user to log in to its account in order to keep it. If the user does not act upon this then the user account and information retained therein should be deleted. However, make sure the above practice complies with terms and conditions applicable to the user account, including the termination and expiration provisions contained therein. This is particularly important if the user has paid for the service (as long as the user pays recurring service fees, the user shall not be considered inactive or unresponsive).
|Collecting of financial information pertaining to a natural individual or sole proprietorship, with the purpose of obtaining a credit rating on such individual or sole proprietorship.
|Personal data collected, e.g. from credit rating institutes, with the purpose of obtaining a credit rating shall be erased within three months of collection.
Last Revised June 28, 2023. Last reviewed August 24, 2023.