Define the dataset and retention policy involved in the processing activity.
Article 30 of the GDPR also requires the registration of the categories of data processed.
it is a question here of defining the categories of data processed. These can be said to be common or sensitive. A distinction is made between data which present a greater risk to natural persons such as data relating to the health of persons, data relating to political opinions or trade union activity. Data relating to offenses or other measures for the execution of sentences also constitute particularly protected data.
Similarly, the social security number can be considered as a special category data.

Special category data

The collection of sensitive data is in principle prohibited. Only the exceptions provided for in article 9 of the GDPR allow them to be collected.

Data retention

The limited retention of data is part of the general principles of personal data law and is recalled in Article 5 1. e) of the GDPR. Special category should be
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The retention period depends on the purpose of the processing and the nature of the data. The retention periods can be defined according to the types of data. For example, for payroll management, the data relating to the salary slip are kept for 1 month in active database and 5 years in intermediate archiving while the data relating to the transfer order for payment are kept for the time necessary for the 'issue of the payslip on an active basis and 10 years from the closing in an intermediate archive.
The duration can be expressed in value or, if this is not possible, the criteria used to define the retention period (until unsubscription for example). It is recommended to set up procedures to manage the retention periods at the level of the category of data and in particular, manage purges or destruction of data.
Last modified 2yr ago