Data retention policy
Soal aims to retain data only as necessary to carry out its operations effectively and in alignment with its mission. The requirement for data retention varies greatly with the type of data and the reason for its collection. Soal works to ensure that data is retained only for the period required to fulfill the purpose for which it was collected and is fully deleted when no longer necessary. This policy outlines Soal’s guidelines on data retention and should be consistently applied throughout the organization.
1. Scope
This policy encompasses all data gathered by Soal and stored on systems and media owned or leased by Soal, irrespective of location. It is applicable to both electronically collected and stored data (including photographs, video, and audio recordings) and data gathered and stored as hard copy or paper files. The necessity to retain specific information may be necessitated by federal or local law, federal regulations, legitimate business purposes, and the EU General Data Protection Regulation (GDPR).
2. Reasons for Data Retention
Soal retains only data necessary to conduct its operations effectively, fulfill its mission, and comply with applicable laws and regulations. Reasons for data retention include:
- Delivery of an ongoing service to the data subject
- Compliance with laws and regulations associated with financial and operational reporting
- Compliance with labor, tax, and immigration laws
- Other regulatory requirements
- Security incident or other investigation
- Preservation of intellectual property
- Legal proceedings
3. Data Duplication
Soal aims to minimize data duplication wherever possible. Nonetheless, there may be instances when for operational or other business reasons, data needs to be held in more than one place. This policy applies to all data in Soal’s possession, including duplicate data.
4. Retention Requirements
Soal has established the following guidelines for retaining personal data:
- Website visitor data: retained as long as necessary to deliver the requested service.
- Contributor data: retained for the year of contribution and 1 year following the last contribution.
- Event participant data: retained for the duration of the event and any follow-up activities, plus 1 year.
- Program participant data: retained for the duration of the grant agreement financing the program and any additional time required under the agreement.
- Subgrantees, subcontractors, and vendors’ personal data: retained for the duration of the contract or agreement.
- Employee data: retained for the duration of employment and 1 year following the last day of employment.
- Employee wages, leave, and pension data: retained for the duration of employment plus 1 year.
- Recruitment data: retained for 1 year after the conclusion of the recruitment process.
- Consultant data: retained for the duration of the consulting contract plus 1 year following the end of the consultancy.
- Board member data: retained for the duration of board service and 1 year following the end of the member’s term.
- Tax payments data: retained for 1 year.
- Operational data: retained for the period required by Soal’s donor, but not more than 1 year.
5. Data Destruction
Data destruction ensures the responsible and efficient management of the data controlled and processed by Soal When the data retention period expires, Soal will actively destroy the data covered by this policy. If an individual believes there is a valid business reason why certain data should not be destroyed at the end of a retention period, they should identify this data to their supervisor and provide reasons why the data should not be destroyed. Exceptions to this data retention policy must be approved by Soal’s data protection officer in consultation with legal counsel. In rare instances, a litigation hold may be issued by legal counsel prohibiting the destruction of certain documents. A litigation hold remains in effect until released by legal counsel and prevents the destruction of data subject to the hold.