Yazi docs
  • Setting up the WhatsApp API number
    • Setting up WhatsApp number
      • Add a Payment Method
      • WhatsApp Profile
      • Get your business manager verified
  • Using Yazi's app
    • Creating the research campaign
      • Creating the research campaign
      • Scripting Survey/Diary Questions
      • Setting up the Interview: Instructions and Objectives
        • AI Interview Prompt Template
    • Inviting Participants
      • Sharing Links to access research
      • Create Template message
      • Send template message
      • Template Message history/stats
    • Results
      • Interviewer Results
      • Survey Results
  • WhatsApp API Pricing
    • Pricing
  • Security
    • Data Security - Executive Summary
    • Yazi Information Security Policy
    • Data Classification Policy
    • Yazi Security and Data Management Policies
    • Yazi Vendor Management Policy
    • Data Retention Policy
    • Business Continuity Plan (BCP)
  • Yazi Process
    • 🎳Quality Control Plan for Yazi Research (Pty) Ltd
Powered by GitBook
On this page
  • 1. Purpose and Scope
  • 2. Data Classification and Retention Periods
  • 3. Automated Deletion Procedures
  • 4. Exception Handling
  • 5. Data Subject Rights and Requests
  • 6. Verification and Audit
  • 7. Roles and Responsibilities
  • 8. Compliance and Documentation
  • 9. Review and Updates
  • 10. Implementation Procedures
  1. Security

Data Retention Policy

1. Purpose and Scope

1.1 Purpose

This policy defines the requirements for retaining and disposing of data collected and processed through Yazi’s WhatsApp research platform. It is designed to ensure that data is only held for as long as necessary to fulfil its purpose and in compliance with all applicable legal requirements, including the Protection of Personal Information Act (POPIA) in South Africa and the General Data Protection Regulation (GDPR) in the United Kingdom and European Economic Area. This policy applies especially to financial services data, while also addressing the retention of personal data and system records.

1.2 Scope

This policy applies to all data handled by Yazi Research (Pty) Ltd, including but not limited to:

  • Survey response data

  • Customer research data

  • System logs and audit trails

  • Backup data

  • Participant personal information

  • Client configuration data

All retention and deletion practices shall adhere to the principles of data minimisation, purpose limitation, and storage limitation as required by POPIA, GDPR, and any other applicable regulations.

2. Data Classification and Retention Periods

Data is categorised based on its nature and the regulatory obligations governing it. The retention periods for each category are as follows:

2.1 Financial Services Research Data

  • Survey Responses: 5 years

  • Customer Feedback: 5 years

  • Transaction-related Research: 7 years

  • Market Research Data: 3 years

  • Client Reports: 7 years

2.2 Personal Information

  • Active Participant Data: Retained for the duration of the research plus an additional 6 months

  • Inactive Participant Data: Retained for 12 months from the last interaction

  • Contact Information: Retained for the duration of the research plus an additional 6 months

  • Consent Records: 7 years

Note: Retention periods are determined by the purpose for which the data was collected and any applicable statutory requirements. Once the retention period expires, data must be securely deleted or anonymised unless a legal hold or other exception applies.

2.3 System Data

  • Access Logs: 2 years

  • Security Audit Trails: 5 years

  • System Backups: Maintained on a 30-day rolling basis

  • Error Logs: 90 days

3. Automated Deletion Procedures

3.1 Automated Processes

To ensure that data is not held longer than necessary, the following automated processes are in place:

  • Daily Scanning: Systems automatically scan all stored data against defined retention rules.

  • Automated Flagging: Data approaching the end of its retention period is flagged for review and deletion.

  • Systematic Deletion: Expired data is systematically and securely deleted in accordance with defined protocols.

  • Verification: Automated systems verify the completion of deletion processes.

  • Audit Trails: Detailed logs of all deletions are generated and maintained for compliance purposes.

3.2 Deletion Methods

  • Soft Delete: Data is initially removed from active systems, making it inaccessible to users while still available for recovery within a defined grace period.

  • Hard Delete: After a 30-day grace period, data is permanently removed from all systems.

  • Backup Purge: Expired data is also removed from backup systems following the respective retention period.

  • Secure Wiping: Where necessary, secure wiping methods that comply with the Department of Defence (DOD) standards or equivalent are applied to ensure irretrievable deletion.

4. Exception Handling

Certain circumstances may require an extension of data retention beyond the standard periods. These include:

4.1 Legal Holds

  • Implementation: A formal process is in place for implementing legal holds when data must be preserved for legal or regulatory investigations or litigation.

  • Documentation: All legal holds must be documented, including the rationale and the duration of the hold.

  • Review: Legal holds are subject to regular review to determine if they are still necessary.

  • Release Procedures: Once the legal hold is lifted, data will be processed for deletion in accordance with this policy.

4.2 Special Circumstances

  • Regulatory Investigations: Extended retention may be required during regulatory or governmental investigations.

  • Client-Requested Extensions: Requests by clients for extended retention, where justified and compliant with applicable law, will be documented and approved.

  • Research Integrity and Dispute Resolution: Data may be retained longer to maintain research integrity or resolve disputes, subject to appropriate documentation and approval.

5. Data Subject Rights and Requests

In line with GDPR (and where applicable POPIA), data subjects have certain rights regarding their personal data. This section outlines how data subject requests impact data retention:

  • Right to Erasure: Data subjects may request the deletion of their personal data, and such requests will be processed in accordance with applicable law. Exceptions may apply if the data is required for compliance with legal obligations.

  • Right to Rectification and Access: Data subjects may request access to and correction of their data, which may affect retention if inaccuracies are discovered.

  • Retention Adjustments: Requests that affect the retention period will be reviewed by the Data Protection Officer (DPO) to ensure compliance with both POPIA and GDPR, while balancing legal obligations and data integrity requirements.

6. Verification and Audit

6.1 Deletion Verification

  • Automated Verification: Systems automatically verify that deletion processes have been completed as scheduled.

  • Manual Spot Checks: Periodic manual checks are performed to ensure compliance with retention rules.

  • Compliance Reporting: Detailed reports summarising deletion activities and any exceptions are generated regularly.

  • Exception Documentation: Any deviations from standard procedures are documented and justified.

6.2 Audit Trail Requirements

Audit trails must include:

  • Retention Period Details: Start and end dates for each retention period.

  • Deletion Timestamps: Precise timestamps indicating when data was deleted.

  • Verification Confirmations: Records confirming that deletion procedures were successfully completed.

  • Exception Records: Documentation of any exceptions or legal holds.

  • Approval Documentation: Sign-off records for all retention-related decisions.

7. Roles and Responsibilities

7.1 Data Protection Officer (DPO)

  • Policy Oversight: Monitors and oversees the implementation of this policy.

  • Exception Approvals: Reviews and approves any exceptions or legal holds.

  • Compliance Monitoring: Ensures all retention and deletion processes comply with POPIA, GDPR, and other relevant legislation.

  • Regular Policy Review: Conducts regular reviews of the policy and recommends updates as necessary.

7.2 Technical Team

  • Automated Systems Implementation: Develops, implements, and maintains automated retention and deletion systems.

  • Verification: Conducts routine verifications of system operations and deletion activities.

  • Maintenance: Ensures that all systems are updated to reflect current retention requirements.

  • Documentation: Maintains detailed technical documentation related to retention processes.

7.3 Client Services

  • Client Communication: Liaises with clients regarding retention schedules and any exceptions requested.

  • Retention Tracking: Monitors client-specific data retention periods and facilitates data subject requests.

  • Reporting: Generates reports on retention compliance and provides these to the DPO and senior management as required.

8. Compliance and Documentation

8.1 Regulatory Requirements

This policy complies with:

  • POPIA: Ensuring the protection and lawful processing of personal information within South Africa.

  • GDPR: Meeting the requirements for data protection and privacy for clients in the United Kingdom and European Economic Area.

  • Financial Sector Regulations: Adhering to any additional data retention requirements specific to financial services.

  • Industry Standards: Aligning with recognised standards and best practices in data security and retention.

8.2 Documentation Requirements

  • Retention Schedules: Detailed schedules outlining retention periods for all data categories.

  • Deletion Logs: Comprehensive logs of all deletion activities.

  • Exception Records: Documentation of all legal holds and retention exceptions.

  • Audit Trails: Secure storage of audit trails for retention and deletion activities.

  • Compliance Reports: Regular reports detailing adherence to regulatory requirements.

9. Review and Updates

9.1 Regular Review

  • Annual Policy Review: The entire policy is reviewed at least once per year.

  • Quarterly Compliance Checks: Regular checks to ensure systems are operating as required.

  • Monthly System Checks: Continuous monitoring of automated processes.

  • Daily Automated Monitoring: Ongoing monitoring to detect any discrepancies in real time.

9.2 Update Procedures

  • Policy Revision Process: Any changes in legal or regulatory requirements will trigger a review and update of the policy.

  • Stakeholder Notification: All relevant stakeholders will be notified of changes.

  • Implementation Timeline: A clear timeline for the implementation of any updates will be established.

  • Training Requirements: Staff will receive training on any significant updates to ensure continued compliance.

10. Implementation Procedures

10.1 Technical Implementation

  • Automated Scanning Systems: Systems in place to continuously scan data against retention rules.

  • Deletion Mechanisms: Secure and verifiable deletion methods, including both soft and hard delete processes.

  • Verification Tools: Tools that confirm the successful deletion of data according to schedule.

  • Audit Logging Systems: Systems to maintain an immutable record of all retention and deletion actions.

10.2 Operational Implementation

  • Staff Training: Regular training sessions to ensure that all personnel understand the policy and their responsibilities.

  • Client Notification: Informing clients of retention periods and any potential impacts of data subject requests.

  • Documentation Updates: Keeping all policy documents and procedures current.

  • Monitoring Procedures: Continuous monitoring to ensure compliance with the policy.

PreviousYazi Vendor Management PolicyNextBusiness Continuity Plan (BCP)

Last updated 2 days ago