Agency Handy

Login
Get Started
Edit Content
Menu
Login
Get Started

Data Retention & Disposal Policy

1. Purpose

The purpose of this policy is to define the principles and procedures for the retention and secure disposal of personal data processed by Agency Handy, in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws. This ensures that data is not retained longer than necessary and is disposed of in a manner that maintains confidentiality and prevents unauthorized access.


2. Scope

This policy applies to all personal data processed by Agency Handy in its role as a data controller or data processor, including but not limited to customer, employee, vendor, and marketing data, across all departments (HR, IT, Marketing, Sales, Finance).


3. Ownership

The Privacy Compliance Team, under the supervision of the Data Protection Officer (DPO), is responsible for implementing and maintaining this policy. Data owners across departments are accountable for executing retention and disposal procedures specific to their functions.


5. Policy Statement

Data Retention
  • Agency Handy retains personal data only for as long as necessary to fulfil the purpose for which it was collected and to comply with legal, regulatory, or contractual obligations.
  • Retention periods are defined in the Data Retention Schedule maintained by each department and reviewed annually.
  • Data is classified by sensitivity and processing purpose as per the Data Classification Policy.
  • Conflicts between legal, contractual, and operational retention periods are resolved by legal counsel in consultation with the DPO.
  • When data is no longer required, it is either securely deleted or anonymized in accordance with GDPR Article 5(1)(e).

Examples of data retention standards

Type of Personal Data

Purpose of Collection

Retention Period

Customer account data (name, email, company)

Service delivery, communication, account management

6 years after end of customer relationship

Marketing data (newsletter subscriptions, campaign interactions)

Consent-based marketing and outreach

Until consent is withdrawn or 2 years of inactivity

Employee records (HR, payroll, contracts)

Employment obligations, payroll, benefits

6 years after termination of employment

Job applicant data (CVs, interview notes)

Recruitment and candidate evaluation

12 months from last interaction

Vendor and payment data

Contractual and financial obligations

7 years from transaction date

Analytics & usage data (e.g., Google Analytics)

Site performance and visitor behavior analysis

Up to 14 months (in accordance with Google settings)

Support tickets and communications

Customer support and service improvement

3 years from last contact

 

Once the applicable retention period has expired, data is either securely deleted or anonymized, unless continued retention is required for legal or regulatory reasons.

Data Disposal
  • Personal data that has reached the end of its retention period is securely deleted or irreversibly anonymized.
  • Agency Handy follows a documented Data Disposal Procedure to ensure that data is destroyed in a way that it cannot be reconstructed or recovered.
  • The method of deletion depends on the storage medium:
    • Cloud systems: Purged from all environments and backups
    • Local servers: Overwritten using secure deletion tools
    • Paper records: Shredded or incinerated by authorized vendors
  • In cases where contractual obligations require extended retention, such conditions must be documented and approved by the legal team.


5. Lawful Bases of Retention

Agency Handy retains personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, in line with the lawful bases defined under the General Data Protection Regulation (GDPR). The lawful bases that justify data retention include:

  • Contractual Necessity – Where retention is necessary for the performance of a contract to which the data subject is a party (employee records, customer account data).
  • Legal Obligation – Where we are required to retain data to comply with applicable laws, regulations, or tax/accounting obligations (payroll records, financial transactions, employee tax filings).
  • Legitimate Interests – Where retention is necessary for Agency Handy’s legitimate interests, such as defending legal claims, maintaining business continuity, or improving services, provided such interests are not overridden by the rights and freedoms of the data subject.
  • Consent – Where the data subject has given explicit consent to retain their data for a specified purpose (marketing subscribers, applicant pool retention).
  • Vital Interests/ Legal Claims – In limited circumstances, personal data may be retained to protect an individual’s vital interests or for the establishment, exercise, or defense of legal claims.


6. Related Control

  • Privacy Notice
  • Data Breach Management Policy
  • Internal Data Protection Policy


7. Review and Updates

This policy is reviewed annually or in response to significant changes in regulation or business processes.


8. Notification 

Agency Handy is committed to transparency regarding the retention and disposal of personal data. In accordance with Articles 13 and 14 of the GDPR, data subjects are informed at the time of data collection (or within a reasonable period thereafter) of:

  • The purpose and legal basis for processing their personal data
  • The applicable retention period or the criteria used to determine it
  • Their rights related to data access, rectification, erasure, restriction, objection, and data portability
  • The right to withdraw consent (where applicable)
  • The right to lodge a complaint with a supervisory authority

Where personal data is to be retained beyond its original purpose or for a longer period than initially communicated, Agency Handy will notify the data subject of the change and the reason for extended retention unless prohibited by law or if such notification proves impossible or involves disproportionate effort.

If a data subject requests erasure of their data (“right to be forgotten”), Agency Handy will assess the request in light of existing retention obligations and inform the data subject of the outcome, including reasons if the request is denied due to overriding legal obligations.


9. Data Anonymisation and Audit

Where the continued storage of personal data is required for statistical, research, or analytical purposes but not for identifying individuals, Agency Handy will implement data anonymisation techniques in line with GDPR Recital 26 and industry best practices. Anonymised data is no longer considered personal data and may be retained for longer periods, provided it cannot be re-identified using any reasonably available means.

Anonymisation may involve:

  • Removal or masking of identifiers (names, email addresses, IDs)
  • Aggregation of data sets to remove individual-level traceability
  • Hashing or pseudonymisation where appropriate safeguards are applied

To ensure ongoing compliance with data minimisation and storage limitation principles, Agency Handy will conduct periodic audits of retained data, with a focus on:

  • Verifying that personal data still serves a lawful retention purpose
  • Identifying data sets eligible for anonymisation or secure deletion
  • Reviewing systems, databases, and cloud storage for orphaned or legacy data

Audit findings are documented and reviewed by the Privacy Compliance Team and the Data Protection Officer (DPO). Non-compliant data holdings will be flagged for immediate remediation, which may include secure deletion or anonymisation.


10. Contact

For questions or concerns about this policy, please contact:

  • [Robat Das]
  • [orvi@agencyhandy.com]
  • Agency Handy PTE LTD, 151 Chin Swee Road #02-24 Manhattan House, Singapore (169876)