I. General Principles of Data Retention
With respect to data privacy regulations to which VCV Inc. (“VCV”) is subject, including the EU General Data Protection Regulation (“GDPR”), VCV’s general policy on data retention can be summarized as follows:
Personal Data shall only be stored as long as necessary for the lawful purpose for which it has been collected and shall be deleted afterwards.
III. Key Principles and Definitions
“Personal Data” means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). It also includes device IDs and IP addresses. See Data Subject Rights Policy for more information.
“Data Subjects” for the purpose of this overview includes all individuals from whom VCV collects Personal Data, including our users and our customers.
See Data Subject Rights Policy for additional definitions.
IV. Retention Schedule
The following schedule provides general retention periods with regard to specific processing activities of VCV. These general periods are subject to potential exceptions listed below.
1. User Data
a. Personal Data that is necessary for the performance of the contract with the user can generally be retained as long as the contract is performed. Title, first name, last name, username or similar identifier and your login/password and other types of Personal Data that are part of the user experience and use of VCV’s services may be retained as long as the user is active and has not requested deletion.
b. This includes:
• [Supplement and adjust as needed]
• E-Mail address;
• Contact data;
• User ID;
• Social media ID’s; and
• With regard to financial information: your [credit card number, checking account number]
2. Meta data
a. Meta data on the platform which is needed for the purposes of IT security and maintaining VCV’s platform in general can be retained for the security and safety of the platform, including to prevent the abuse of minors, and therefore may be retained for such purpose for a period of up to three years.
b. This includes:
• IP-address; and
• Browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
c. Note: to the extent that meta data is not needed for the three-year period, it should be deleted.
3. Any data collected with valid user consent
a. Regardless of the kind of Personal Data that has been collected, user data can be retained for as long as a valid declaration of consent by the user exists that allows for processing such data. In other words, if a Data Subject withdraws his/her consent, you must delete any and all Personal Data related to such consent.
b. Consent degrades over time and is not valid indefinitely. Therefore, consent should be refreshed in intervals of 2 years. Note: consent is not achieved under the GDPR by means of the Privacy Statement alone.
c. If you rely on parental consent, you will also need to refresh consent as the children grow up and can consent for themselves.
V. End of Retention
1. Exceptions or Alternatives for Deletion
There are exceptions from static retention periods that have to be taken into consideration when the retention period set out in the Retention Schedule under IV. is expired.
a. Personal Data is not supposed to be deleted when there are legal obligations to retain the data (e.g. arising from tax or commercial law). This is particularly relevant with regard to any processed Personal Data concerning financial transactions (e.g. purchases; financial/tax documents) and payment information.
b. Additionally, Personal Data is not supposed to be deleted when it is needed for the establishment, exercise or defense of legal claims (“litigation hold”). In this case, the Personal Data can be retained as long as needed for exercising respective potential legal claims.
Exemplary cases might be:
• Payment issues with users that need to be resolved (e.g. unpaid purchases); or
• A user’s in-service misconduct that gives rise to criminal investigations
c. Instead of deleting the respective Personal Data, erasure can be achieved by means of anonymization. GDPR does not apply where Personal Data is fully anonymized. As a result, the Personal Data’s statistical value stripped of any personal identifiable information can be used in the future. Anonymization is advisable in handling the erasure of technical data, e.g. log files. Note: anonymization is not achieved if there is a risk of re-identification.
2. Time frame of deletion
If Personal Data can no longer be retained it needs to be erased without undue delay. A reasonable time to consider the erasure is approximately one month. However, what is defined as “reasonable time” can be different depending on the complexity of the situation (e.g. obtaining legal advice with regard to possible litigation risks; determining other legal grounds for processing; or evaluating whether exceptions apply).
3. Retention of backup data
Personal Data that has been removed from databases but remains in backup files is acceptable – so long as a backup schedule is maintained. If full database backups are maintained for rotating X- week periods, any data removed from the system will no longer be maintained in backup data after X weeks.
VI. Right To Be Forgotten
As set forth in the Data Subject Rights Policy, VCV must comply, where applicable, with a Data Subject’s request to be forgotten. This means that VCV must delete Personal Data where the request to be forgotten is valid.
VII. Additional Data
Any Personal Data that does not correspond to the aforementioned legal bases – that is not (a) necessary to enable the use of the platform (see II. Above), (b) collected as part of the performance of a contract (see I. above) or (c) through valid, periodically-updated user consent (see III. above) must be deleted in order to minimize the amount of data that VCV collects and processes. For instance:
• Data that is primarily used for targeting users with advertising, or for profiling purposes, may warrant shorter retention periods, to be determined, but no longer than 30 days.
• It is recommended that meta data that is not solely used to allow the platform to function properly or for user experience, and is then used for analytics be anonymized or deleted.
• Data that is collected for one purpose, and then used for another, must be properly accounted for from a legal basis, or deleted.