Pulso Group Logo
  • Personal Data Protection Policy
  • Data Retention Policy
    1. General Policies
    2. Data Retention Policy

    Data Retention Policy

    Version: 4
    Date: 16/11/2025

    1. Personal Data Protection Policy

    This Policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Pulso Europe BV (further: the “Company”).

    This Policy applies to all business units, processes and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties. 

    This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data).  It is the responsibility of all of the above to familiarize themselves with this Policy and ensure adequate compliance with it.

    This policy applies to all information used at the Company. Examples of documents include:

    • Personal Data collected by providing services in context of EAP
    • Personal Data collected by providing online services
    • Emails
    • Hard copy documents
    • Soft copy documents
    • Video and audio
    • Data generated by physical access control systems

    2. Reference Documents

    • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
    • Personal Data Protection Policy
    • Disposal and Destruction Policy
    • ISO/IEC 27001 A.8.2.3, A.11.2.7 and A.18.1.3

    3. Retention Rules

    3.1 Legal Basis for Retention

    The retention periods for personal data are determined and based on the legal basis of processing under the General Data Protection Regulation (GDPR), where:

    • the Data Subject has given consent to the processing of his/her personal data (Article 6(1)(a));
    • processing is necessary for the performance of a contract (Article 6(1)(b));
    • processing is necessary for compliance with a legal obligation (Article 6(1)(c));
    • processing is necessary to protect the vital interests of the Data Subject (Article 6(1)(d));
    • processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e));
    • processing is necessary for the purposes of the legitimate interests pursued by the controller (Article 6(1)(f)).

    3.2 General Principle

    In the event, for any category of documents not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 5 years from the date of creation of the document.

    3.3 Retention Schedule

    The Data Protection Officer defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.

    As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:

    • Ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
    • When exercising legal rights in cases of law suits or similar court proceeding recognized under local law.

    3.4 Safeguarding of Data during Retention Period

    3.4.1 Storage Media

    The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes.

    3.4.2 Secure Storage

    All personal data retained during the retention period must be stored in a manner that ensures confidentiality, integrity and availability in accordance with the Policy on the Use of Encryption.

    3.4.3 Access Control

    Access to data is restricted based on the principle of least privilege, in line with the Access Control Policy. All employees have access privileges corresponding to their role and function.

    3.5 Destruction of Data

    Personal data will be destroyed according to the Disposal and Destruction Policy, or where appropriate and technically feasible, be anonymized or pseudonymized to reduce the risk of identification and to comply with the principle of data minimization (Article 5(1)(c) GDPR).

    3.5 Routine Disposal Schedule

    Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:

    • Announcements and notices of day-to-day meetings and other events including acceptances and apologies;
    • Requests for ordinary information such as travel directions;
    • Reservations for internal meetings without charges / external costs;
    • Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value;
    • Message slips;
    • Superseded address list, distribution lists etc.;
    • Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files;
    • Stock in-house publications which are obsolete or superseded; and
    • Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.

    In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.

    3.6 Data Subject Rights and Retention

    Data Subjects may request the erasure of their personal data under Article 17 Right to erasure of the GDPR. The Data Protection Officer will assess such requests in accordance with Pulso’s obligations under the GDPR. The personal data of the Data Subject will be deleted unless it is still required for the purposes it was collected, if it must be retained to comply with a legal obligation, or if it is needed in regards to a legal proceeding.

    3.7 Compliance

    Any suspicion of a breach of this Policy must be reported immediately to Data Protection Officer. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.

    Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.