Data Retention and Disposal Policy for Customers in Ffh|erp
Purpose
The purpose of this policy is to ensure personal data stored in the Fffh|ErpSystem are protected and maintained properly and to ensure the data that are no longer needed because of Customer not renewing subscription or are of no value are discarded within a proper period of time. This policy is set up based on the guidelines provided by the Digital Personal Data Protection (DPDP) Act, 2023
Scope
This policy covers all Customer records and data stored in the Fffh|ErpSystem.
Out of Scope
This policy does not cover data stored in either digital or paper forms outside of the Fffh|ErpSysem. Examples include but are not limited to data on user PCs, file servers, mobile storage, e-mail, SharePoint, Network share drives, etc.
Review
This policy must be reviewed regularly to keep pace with work practices, technology developments, and regulatory changes.
Data Retention and Disposal Principle
The principle of “Need to know” shall be applied to retain or dispose the customer data as they are all personal data and should be kept in the Fffh|ErpSystem for maintaining the operation of the customers business only. Data owners should review the necessity and accuracy of the data that are stored in the system from time to time. All unnecessary personal data should not be kept in the system.
Retention of Data
The data of any customer will be retained in the system as long as the subscription of that customer is active and all dues are paid.
Disposal of Data
Records and data of inactive customers will be removed from the systems as soon as they have exceeded the retention period defined
Currently the Retention period is defined as 60 days after the last subscription expiry date.
Suspension of Disposal
Data disposal action will be suspended in case the data is involved in any governmental investigation, audit concern, litigation or for any solid reasons raised by the customer, or if customer renews the Subscription before the 60 days after expiry period. The suspension request should be submitted in an official written format with reasons and evidence provided to Kris Kross.
Disposal Action
Once a record or data has reached its designated retention period, the designated administrator in Ffh|Erp Admin team will execute the disposal action that is defined in the disposal schedule. The system administrator needs to send a notification to the customer before and after the disposal action to alert the changes in the data.
The disposal of data should be non-reversible. Besides deletion of data in databases or systems, those traces in any systems log, archives and backup should be cleared as far as possible.
Data removal from backup media or archives can be deferred for a maximum of 3 months from the retention period if there are any technical constraints. The destruction of the backup media or archive should also be recorded with date, handler and the method of destruction.
Data Disposal Log
A “Data Disposal Log” will be maintained for audit purpose. The log will document which set of data has been deleted or destroyed, when, by whom and by what method. Care will be taken to ensure that the log record itself does not contain any personal identifiers.
Exceptions
Data may be retained for a longer period to fulfil contractual or legal obligations or for other reasons. Any request for exceptions to this policy should be submitted in writing to Kris Kross which will assess the impact, security and risk measure of the request before submitting a recommendation to the Data Administrator for exception from deletion.