Data Retention and Deletion Policy

Approved by:

David Kohler
Jeff Andersen
Thad Hoskins

Effective Date: 12/1/2023

The official Approved Google Document for this policy can be found here.

Trimble Cloud Core Platform Policy

Interim Policy for Cloud Core Platform [Company Policy will supersede when approved and released]

Purpose

This policy governs Trimble Cloud Core Platform’s directives for implementing procedures for deleting personal data while applying data and record retention rules. Keeping data without implementing data deletion routines increases the cost of operation and the risk of potential data breaches.
This local policy will be replaced by applicable Corporate/Company Policy when that is approved and released.

Scope

This policy applies to Trimble Cloud Core Platform.

Terms and Definitions

Trimble Cloud Core Platform Data Retention Use Cases

Policy

Trimble complies with data protection laws such as the European General Data Protection Regulation (GDPR) as well as document retention requirements. Data protection laws require Trimble to minimize and delete personal data it processes. Data retention rules require Trimble to keep certain data and records.

References:
- Article 5 of GDPR establishes 7 Principles of Processing personal data, including retention limitation: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”¹
- Retention limitation is reflected in Trimble’s Data Protection Policy, Section 10 Timely Processing²: “We will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all Personal Data which is no longer required.”
- Article 30 of GDPR provides the mechanism for evaluating and documenting this retention period for each processing activity, i.e., Records of Processing Activities (RoPA). Among other information RoPA documents, data retention periods are required “where possible”: “the envisaged time limits for erasure of the different categories of data”³
This policy requires all owners of business processes using personal data and of all databases containing personal data to develop a data management schedule and plans to implement it. When developing this data management schedule the following process should be followed:

Identify what data is processed and if this data is personal. For determining whether personal data is involved consult the [LINK: data categorization policy]⁴.
For new business processes: When deciding what data to process, owners should simultaneously determine when and how it can be deleted.
Determine and document for what purpose the personal data is being processed and when that purpose is normally achieved.

Factors to be considered

When deciding on retention periods, the following criteria should be applied:

the volume, nature, and sensitivity (as per the classification) of the personal data
risks for individuals to whom the data refers from unauthorized use or disclosure of the personal data
the purposes for which Trimble processes the personal data and how long we need the particular data to achieve these purposes
how long the personal data is likely to remain accurate and up to date
for how long the personal data might be relevant to possible future legal claims (for more details, see below)
any applicable country-specific or industry-specific legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept.
Is Trimble processing the data on behalf of a customer then customer’s ultimately decide when data is to be deleted. If we process the data for ourselves, Trimble decides. (Examples: data in a Trimble SaaS product – customer decides; Trimble employee data – we decide; marketing data – we decide)

Consider data retention

In principle, once the purpose of its processing is achieved, the personal data needs to be deleted.

Example: The data of a job seeker is relevant as long as the application process continues and for [six] more months during which an applicant could bring a legal claim.

Example: Account data is relevant as long as the user is subscribed plus a reasonable period during which the user may come back.
Compliance with document retention obligation is a legal basis to keep data. In this context, determine what database is the one that is designated as a retention repository. As data may exist in different data sets, for retention purposes, it can be kept only once.
Keeping records in order to defend against legal claims is a permitted purpose to keep data that is relevant for potential lawsuits. The period can last as long until a legal claim is time barred. For purposes of defending against legal claims, only relevant data sets can be kept.
As an ultimately US-controlled group, Trimble businesses worldwide have to be able to implement document holds in case of litigation. This litigation hold will be announced by the Trimble legal department and once it is over the applicable data deletion rules will apply again
After you have decided what retention limits will apply to the personal data that is processed, document them as applicable.

Retention Guidance

Reference Cloud Core Platform data retention use cases here:

Trimble Cloud Core Platform Data Retention Use Cases

Where no suggested guideline retention period (see appendix) is specified for a particular category, type, or item of personal data, the appropriate retention period should be decided by considering the criteria mentioned above. Please contact privacy@trimble.com for assistance and guidance in this case.

Data protection law requires us to inform individuals how long we retain their personal data or, if this is not possible, to tell them what criteria we use to determine how long we will keep it. We do this in this Data Retention Policy in conjunction with our Privacy Notice.

As an exemption, retention periods within Data Retention Schedules can be prolonged in cases such as:

Ongoing investigations from any authorities, if there is a chance records of personal data are needed by Trimble to prove compliance with any legal requirements; or
When exercising legal rights in cases of lawsuits or similar court proceedings recognized under local law.When carrying out a data cleansing/erasure exercise, you must consider if there is a genuine risk of a legal claim or complaint in the particular circumstances as we may need to depart from the Guideline Retention Periods if there is.

Reviewing current personal data on a regular basis

Regular reviews of personal data helps to ensure that personal data is not retained longer than is necessary for the identified purposes and that where necessary, can be kept up to date.

Trimble Cloud Core Platform’s Data Process Owner is responsible for conducting regular reviews of data deletion schedules to ensure that the personal data they contain remains relevant and is not retained for longer than necessary.

Data Process Owner: Thad Hoskins

Trimble Cloud Core Platform’s Business Process Owners are responsible for identifying Data Retention use cases, keeping Records of Processing Activities up to date, Notifying Office of Data Protection when RoPA need to be updated (see Triggers below) and Driving required Privacy by Design into Business Process design and implementation.

Triggers for Change Control Action:

Addition of Processing Activity
1. Addition of Processing Activity unique identifier
  1. Processing Purpose
  2. Addition of Trimble as Controller where previously Activity was carried out by Trimble as Processor
  3. Addition of Trimble as Processor where previously Activity was carried out by Trimble as Controller
  4. Addition of Legal Basis
  5. Addition/Change in Destination Asset (system)
2. Entirely new Processing Activity unrelated to previously documented Processing Activities
Change within Processing Activity
1. Addition of Personal Data
2. Addition/Change of Vendor
3. Change of non-critical RoPA fields (not identified above)

Erasing/destroying Customer and Suppliers details

Erasing means:

Removal of data from Core Platform PaaS Workstreams inclusive of replication to region data zones and Glacier back-up storage.
securely shredding of hard copy files
deleting electronic records from online HR portal or other centralized databases, deleting back-up records, etc. with no possibility of retrieval
Deleting personal data from electronic devices (including removable storage devices) when it is no longer required (this means not simply deleting files, but also emptying the recycle bin on your desktop/ laptop/tablet/other devices as applicable)
Ensuring personal data is wiped from redundant devices e.g. old laptops, mobile phones, memory sticks, performance output data from redundant machinery, etc.
Removing personal data from software, applications, intranet, etc.
Deleting files from Cloud Storage drives (such as Google Drive, Microsoft Sharepoint etc.)
Deleting individually held paper and electronic copies of personal data
following company instructions about the deletion of emails

In addition to deletion, irreversibly hashed data and the use of AES 258 encryption after which the key is destroyed are considered deletion as well.

Anonymisation

In order to comply with GDPR handling requirements for personal data the ODP recommends the use of pseudonymization techniques to sanitize data of any identifying characteristics. This facilitates usage of this data for purposes other than its original collection⁵ while also adhering to the principles of Privacy by Design outlined in GDPR. For this the ODP has selected a tool called Protegrity, which tokenizes data and complies with GDPR’s directive that pseudonymised data be stored separately from its re identification keys.⁶

It should be noted, however, that even when pseudonymized, data deletion and retention schedules are still enforced under GDPR⁷. Additionally, pseudonymised data is distinct from anonymized data, which is not formally defined under GDPR but is generally considered to be data which has no identifying characteristics that could be used to single out a data subject.⁸ Such data is also exempt from GDPR requirements as it no longer constitutes personal data.

However, due to both the difficulties in achieving truly anonymous data, as well as the fact that such data is generally rendered useless for purposes such as analytics, the ODP recommends pseudonymization as a data protection technique.

In order to comply with GDPR requirements for pseudonymization, the Protegrity solution will tokenize data in such a way that any personal data associated with a dataset can no longer be attributed to a particular data subject, while maintaining its utility for analytics. Further, as a control, reidentification of this data is governed by a review process intended to restrict access to these mechanisms to only those individuals designated by the ODP as having a reason to view data in the clear.

Archiving: electronic and/or hard copy archiving

Archiving personal data is not an erasure. Archive of Cloud Core Platform PaaS workstream data external from the PaaS architecture is prohibited.

Requests for erasure

If Trimble receives a request to erase personal data, we will immediately refer the request to the division Data Protection Champion(s) for guidance.

Data Subject Access Request.docx

Reference Documents