Last update at :
2024-12-20
1. Overview
Implementing a procedure for retaining, destroying and anonymizing personal information is important to ensure the protection of individual privacy, comply with privacy laws, prevent privacy incidents involving personal information and security breaches, maintain customer confidence and protect the organization's reputation.
2. Objective
The purpose of this procedure is to guarantee the protection of individual privacy and to comply with legal obligations regarding the protection of personal information.
3. Scope
The scope of this procedure should cover the entire life cycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, retention, destruction and anonymization of personal information in accordance with legal requirements and good privacy practices.
4. Definitions
Personal information: Any information that directly or indirectly identifies a natural person. Retention: secure storage of personal information for the required length of time. Destruction: deletion, elimination or permanent erasure of personal information. Anonymization: the process of modifying personal information in such a way as to no longer allow direct or indirect identification of the individuals concerned.
5. Procedure
a. Duration that the information is saved
i. Personal information has been categorized as follows:
- Information concerning the company's employees,
- Information concerning members of the board of directors,
- Information about members of the organization,
- Client information
ii. The period during which information is saved for each of these categories has been established as follows :
- Company employees and subcontractors: 10 years after termination of employment or contract.
- Customers: variable depending on the type of personal information.
- Leads: variable depending on the type of personal information.
For further details, please refer to the complete inventory of personal information held.
b. Secure storage methods
i. Personal information can be found at the following locations:
1. Ciao network
2. Manitou
3. Ciao data warehouses
4. CDAE files
5. Zoho recruits
5. HubSpot
5. SharePoint and Google Drive
ii. The degree of sensitivity of each of these storage sites has been established.
iii. These storage facilities, whether paper or digital, are adequately secured.
iv. Access to these storage facilities has been restricted to authorized persons only.
c. Destruction of personal information
i. Personal information on paper must be completely shredded.
ii. Digital personal information must be completely deleted from devices (computers, phones, tablets, external hard drives), servers and cloud tools.
iii. The destruction timeline, based on the retention period established for each category of personal information, shall be carried out in accordance with the planned destruction dates.
iv. Care must be taken to ensure that destruction is carried out in such a way that personal information cannot be recovered or reconstituted.
d. Anonymization of personal information
i. Personal information should only be anonymized if the organization wishes to retain and use it for serious and legitimate purposes.
ii. The chosen method of anonymizing personal information is generalization.
iii. It must be ensured that the remaining information no longer irreversibly allows the direct or indirect identification of the individuals concerned, and that the risk of re-identification of anonymized data is regularly assessed by means of tests and analyses to guarantee their effectiveness.
e. Staff training and awareness
i. Ensure that regular training is provided to employees on the procedure for retaining, destroying and anonymizing personal information, as well as on the risks associated with breaches of privacy.
ii. This also includes raising staff awareness of proper data security practices and the importance of complying with established procedures.