Data retention
| 🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions. |
1. General description
Description of the data retention on the Platform is a crucial component of information security and transparent data handling. This document outlines key aspects of the policy and strategy for data collection, storage, and deletion from the Platform for state registries.
2. Collecting and uploading data
The Platform gathers data from users through various interactions such as registration, use of services, and communication through user accounts. When developers integrate with external systems, business processes may receive necessary data from other registries.
Data is input and transmitted via encrypted connections to ensure confidentiality.
| Data Type | Subsystems collecting data | Storage location |
|---|---|---|
User-uploaded data |
||
Cross-registry interaction data |
||
Temporary business process data |
||
Analytical data |
||
Historical data |
||
Data backups |
3. Data retention
3.1. Retention duration
To ensure the proper functioning of the Platform and compliance with legal requirements, data is not deleted by default after collection. The retention duration is determined based on the type and purpose of the data to facilitate its use and analysis in accordance with Platform objectives. Temporary business process data is retained until the completion of the business process.
3.2. Deletion rules
Data retention on the Platform is managed with consideration of its value and user needs. To ensure a transparent and responsible approach to data deletion, the following process is proposed:
-
Users have the option to request the deletion of their personal data from the Platform. The request should include justification and explanations for the deletion.
-
Received data deletion requests should be reviewed by the organization (Platform owner), which conducts an analysis and assesses the potential consequences of data deletion for both the user and the Platform.
-
Upon proper review and approval of the data deletion request, the organization (Platform owner) initiates a secure and reliable data deletion process from the registries. This process takes into account technical and security aspects and is performed by the registry administrator.
-
After data deletion, the user is notified of the completion of this process. The organization (Platform owner) must also ensure that the deleted data is no longer available for recovery or use.
-
This approach ensures that data deletion is carried out responsibly and in accordance with user requirements, safeguarding their privacy and security within the registry.
However, a reference to the user’s data should remain in the historical registry data as evidence of the user’s actions performed on the Platform.
3.3. Archiving and backup
Data retention duration on the Platform can only be configured for backups. For a description of the approach and configuration please see Setting up the central components backup schedule and retention time.
3.4. Data transfer and exchange
Cross-registry data transfer support is disabled by default on the Platform for state registries. Rights to enable this functionality are granted only to the Platform administrator. Rights to use data exchange are available to the regulation developer responsible for justifying data exchange.
More information is available at Підсистема зовнішніх інтеграцій