Data Retention: Difference between revisions
(Created page with "==Regulation And UK Law== As of January 2020, Bittylicious Ltd is now a "relevant person" for the purposes of retaining customer records under the Money Laundering, Terror...") |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
==Regulation And | ==Data Protection, Regulation And Isle of Man Law== | ||
Bittylicious is registered as a Designated Business with the Isle of Man's Financial Services Authority. As such, it has certain responsibilities with regard to customer data retention which may not apply to companies operating in other industries. | |||
Here is the exact wording | According to paragraph 33 of the [https://www.gov.im/media/470621/anti-moneylaunderingandcounteringthefinancingofterrorismcode2015.pdf Anti-Money Laundering and Countering the Financing of Terrorism Code 2015], Bittylicious is required to store user data for at least 5 years even after accounts are marked as deleted: | ||
* (1) | Here is the exact wording from the Anti-Money Laundering and Countering the Financing of Terrorism Code, paragraph 33: | ||
* ( | |||
** ( | <blockquote>'''33 Record retention | ||
** ( | *(1)A relevant person must keep the records required by this Code for at least 5 years | ||
* ( | **(a)in the case of records required by paragraph 32(b), from the date of the completion of the transaction; and | ||
** (a) | **(b)in other cases, from the date when | ||
** (b) that | ***(i)all activities relating to anoccasional transactionor a series of linked transactions were completed; or | ||
***(ii)in respect of other activities | |||
****(A)the business relationship was formally ended; or | |||
****(B)if the business relationship was not formally ended, when all activities relating to the transaction were completed. | |||
*(2)Without limiting sub-paragraph (1), if | |||
**(a)a report has been made to a constable under paragraphs26(1)(f)and 28; | |||
**(b)the relevant person knows or believes that a matter is under investigation by a competent authority; or | |||
**(c)the relevant person becomes aware that a request for information or an enquiry is underway by a competent authority,the relevant person must retain all relevant records for as long as required by the constable or competent authority as the case may be. | |||
</blockquote>''' | </blockquote>''' | ||
The legislation does not specify a maximum number of years for data retention. This being the case, and following common industry practice, Bittylicious retains data for 5 years from the date of deletion. | |||
When the account is marked as deleted, we set a flag meaning the account can no longer be registered again. After 10 years, any sort of identifiable data, including uploaded data, will be automatically deleted. | |||
==GDPR Article 17 Right To Erasure== | ==GDPR Article 17 Right To Erasure== | ||
The GDPR specifically allows for instances where Article 17 (right to erasure) conflicts with other | The Isle of Man is not a member of the European Union. Even though Isle of Man legislation specifically introduced the GDPR into law, the GDPR itself specifically allows for instances where Article 17 (right to erasure) conflicts with other legislation, even in member states. | ||
In the case of Bittylicious, Isle of Man legislation is the only applicable law, namely the [https://www.gov.im/media/470621/anti-moneylaunderingandcounteringthefinancingofterrorismcode2015.pdf Anti-Money Laundering and Countering the Financing of Terrorism Code 2015], as described above. | |||
Bittylicious therefore not only has the right, but has an explicit duty under Isle of Man law, to retain these records for longer than companies which are not registered as a Designated Business might. It is unfortunate that the legislation does not explicitly set an upper limit of years for record retention. This being the case, Bittylicious follows common industry practice and retains records for 5 years, enabling it to comply fully with its anti-money laundering and counter-terrorism financing duties as a Designated Business. |
Latest revision as of 10:26, 7 March 2024
Data Protection, Regulation And Isle of Man Law
Bittylicious is registered as a Designated Business with the Isle of Man's Financial Services Authority. As such, it has certain responsibilities with regard to customer data retention which may not apply to companies operating in other industries.
According to paragraph 33 of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015, Bittylicious is required to store user data for at least 5 years even after accounts are marked as deleted:
Here is the exact wording from the Anti-Money Laundering and Countering the Financing of Terrorism Code, paragraph 33:
33 Record retention
- (1)A relevant person must keep the records required by this Code for at least 5 years
- (a)in the case of records required by paragraph 32(b), from the date of the completion of the transaction; and
- (b)in other cases, from the date when
- (i)all activities relating to anoccasional transactionor a series of linked transactions were completed; or
- (ii)in respect of other activities
- (A)the business relationship was formally ended; or
- (B)if the business relationship was not formally ended, when all activities relating to the transaction were completed.
- (2)Without limiting sub-paragraph (1), if
- (a)a report has been made to a constable under paragraphs26(1)(f)and 28;
- (b)the relevant person knows or believes that a matter is under investigation by a competent authority; or
- (c)the relevant person becomes aware that a request for information or an enquiry is underway by a competent authority,the relevant person must retain all relevant records for as long as required by the constable or competent authority as the case may be.
The legislation does not specify a maximum number of years for data retention. This being the case, and following common industry practice, Bittylicious retains data for 5 years from the date of deletion.
When the account is marked as deleted, we set a flag meaning the account can no longer be registered again. After 10 years, any sort of identifiable data, including uploaded data, will be automatically deleted.
GDPR Article 17 Right To Erasure
The Isle of Man is not a member of the European Union. Even though Isle of Man legislation specifically introduced the GDPR into law, the GDPR itself specifically allows for instances where Article 17 (right to erasure) conflicts with other legislation, even in member states.
In the case of Bittylicious, Isle of Man legislation is the only applicable law, namely the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015, as described above.
Bittylicious therefore not only has the right, but has an explicit duty under Isle of Man law, to retain these records for longer than companies which are not registered as a Designated Business might. It is unfortunate that the legislation does not explicitly set an upper limit of years for record retention. This being the case, Bittylicious follows common industry practice and retains records for 5 years, enabling it to comply fully with its anti-money laundering and counter-terrorism financing duties as a Designated Business.