为特定数据或业务制定专业的数据保留政策,确保合规和安全。
数据保留政策(客户合同与投诉) 1. 目的与适用范围 - 本政策规定组织在客户合同与客户投诉业务中对个人信息及相关业务记录的保留期限、管理要求和处置流程,以满足合规(如GDPR、CCPA/CPRA等)和业务防御需求,并贯彻数据最小化与存储限制原则。 - 适用于与客户合同签订、履约、账务与税务处理、客户投诉受理与调查,以及与数据主体请求相关的记录。 - 本政策为全球基线。各法域的强制性保留期限、诉讼时效或行业监管要求如更长或更短,应以当地“法律保留与期限清单”(Local Retention Schedule)为准。 2. 合规原则 - 存储限制(GDPR 第5条第1款(e)):仅在达成明确目的所需期间内保留数据。 - 数据最小化(GDPR 第5条第1款(c)):仅保留必要信息,避免过度保留。 - 合法性与透明度(GDPR 第6条、CCPA/CPRA):在隐私声明中公开各类别个人信息的保留期限或确定方法;不得超过实现收集目的所需的合理时间。 - 删除权与例外(GDPR 第17条):在不再需要且无法律义务或合法权益(如诉讼防御)时删除;当存在法定保留或法律保留(Litigation Hold)时可拒绝或延后删除。 - CCPA/CPRA记录要求:对消费者权利请求及回应的记录需至少保留24个月(法规要求),并仅用于合规审核与防御。 3. 角色与责任 - 数据保护官/隐私办公室:制定与维护本政策;审批例外;监督合规。 - 法务:确定各司法辖区诉讼时效与监管保留要求;维护Local Retention Schedule。 - 业务与客服:按分类标记合同与投诉数据;按期限执行删除或匿名化。 - IT/安全:落实访问控制、加密、日志、备份与删除自动化;记录销毁证据。 - 财务:负责账务与税务记录的法定保留期限与处置。 4. 数据分类与保留期限(全球基线) 注:以下为基线;若当地法律或合同义务规定不同,以较长的强制期限为准。 - 客户主档与合同文本(主合同、修订、附加条款、SOW) 保留期限:合同终止或到期后7年。 依据与理由:合同履行与后续索赔防御的合理期限;兼顾多数法域3–10年诉讼时效差异。 - 履约与交付记录(验收、服务绩效、里程碑、关键沟通) 保留期限:合同终止后7年,与合同一致。 - 账单、发票、付款与税务凭证 保留期限:遵从各地税务/会计法定期限(通常为5–10年不等)。如无明确要求,基线为7年。 说明:以财务部门的Local Retention Schedule为准。 - 投诉工单与调查材料(投诉详情、证据、处理记录、结论与整改) 保留期限:结案后4年。 依据与理由:覆盖多数消费者/合同相关索赔的常见时效范围,便于防御与趋势分析。 - 与数据主体请求相关的记录(访问、更正、删除、拒绝与响应依据) 保留期限:至少24个月(满足CCPA/CPRA监管记录要求);基线建议3年用于合规证明与争议防御。 - 安全审计日志(与合同及投诉处理系统相关) 保留期限:12–24个月,基线18个月;高风险系统可延长。 - 系统备份 保留期限:滚动备份,不超过90天;用于灾难恢复。到期自动覆盖;应支持定向删除或密钥销毁,确保保留期到期的数据不可恢复。 - 去标识化/匿名化的投诉分析与合同运营指标 保留期限:不设限,但必须采用不可逆匿名化,确保不再属于个人信息;保留匿名化过程与技术说明。 5. 处置与匿名化要求 - 到期处置流程: 1) 到期数据自动进入删除队列; 2) 若存在法律保留、监管审计或内部调查需求,暂停删除并记录原因与期限; 3) 删除完成后输出销毁审计记录(含数据类别、范围、方法、时间、责任人)。 - 处置方法: - 电子数据:使用经验证的擦除标准(如多次覆盖或加密密钥销毁)。 - 纸质文件:交付合规的碎纸/焚毁服务,保留销毁证明。 - 匿名化与保留: - 对业务必需的统计与改进目的,优先采用匿名化而非长期保留可识别信息; - 匿名化须不可逆,剥离直接与间接识别符,并通过重识别风险评估。 6. 安全与访问控制 - 访问最小化与角色权限:合同与投诉数据采用最小权限访问;敏感附件(证据材料)采用更严格审批。 - 加密:静态与传输中加密;密钥管理分离与轮换。 - 审计与监控:保留访问与删除操作日志;对异常访问与批量导出进行告警。 - 数据分离:投诉证据与合同主数据分区存储,降低横向访问风险。 7. 法律保留(Litigation Hold)与例外 - 触发条件:收到诉讼、仲裁、监管调查或合理预期纠纷。 - 执行:标记相关数据,暂停删除与覆盖;解除后按到期立即处置。 - 记录:保留法律保留的通知、范围与解除日期。 8. 跨境与供应商管理 - 跨境传输不改变保留期限要求;应确保数据在各地均依本政策到期处置。 - 委托处理者/供应商合同中必须明确保留期限、处置方式、法律保留配合与销毁证明输出要求。 - 定期审计供应商的保留与删除控制。 9. 隐私声明与透明度 - 在面向客户的隐私声明中,按类别披露保留期限或确定标准(例如“合同到期后保留7年,用于合规与争议防御”)。 - 对投诉受理渠道明确告知必要信息、保存时长与用途。 10. 数据主体权利请求的处理 - 在保留期内,如收到删除请求且不再存在合规义务或合法权益防御需求,则删除并记录。 - 如需拒绝或延迟删除(如税务保留、法律保留),在法定期限内明确告知理由、适用依据与预计解除时间。 11. 实施与治理 - 数据标记:在系统中为合同与投诉数据打上“类别+到期日期”标签;自动计算到期。 - 定期清理:至少每季度执行到期数据清理与报告;隐私办公室与法务复审抽样结果。 - 政策评审:每年审查本政策与Local Retention Schedule,或在法规变化、业务模型变更时即时更新。 - 培训:对相关岗位进行保留与处置流程培训;加入入职与年度再认证。 12. 关键参考与说明 - GDPR:第5条(存储限制与数据最小化)、第6条(合法性)、第17条(删除权与例外)、第30条(处理活动记录)、第32条(安全)。 - CCPA/CPRA:要求不超必要期限保留;隐私声明披露保留期限或确定标准;法规要求对消费者权利请求与回应记录至少保留24个月。 - 地方法律与行业规范(税务、会计、金融、医疗等)可能规定不同的最低保留要求;应以Local Retention Schedule为准。 附:Local Retention Schedule维护指引 - 法务每年汇总并更新各法域的: - 合同与消费者相关索赔的诉讼时效; - 会计与税务记录保留年限; - 行业监管(如金融、医疗、电信)特定保留义务; - 记录要求(如消费者请求记录的法定最低期限)。 - IT据此在系统配置到期规则与删除计划;业务按新期限执行。 说明 - 本政策选择的“7年合同/4年投诉”基线为风险与运营的平衡做法,并非一刀切的法律要求。若当地强制期限更长或更短,应适配并以法定期限为准。
Data Retention and Disposal Policy for Registration and KYC Data 1. Purpose and Scope - Purpose: Define mandatory retention, minimization, and disposal requirements for customer registration and Know Your Customer (KYC) data to ensure compliance with data protection and anti-money laundering (AML) obligations. - Scope: Applies to all systems, environments, regions, and third parties that collect, process, store, or dispose of registration and KYC data for customers, prospective customers, and beneficial owners. - Regulatory drivers: GDPR (including storage limitation and data minimization), CCPA/CPRA (retention disclosure and purpose limitation), applicable AML laws (e.g., EU AMLD/UK MLR requiring 5-year retention of CDD records; FinCEN rules requiring 5-year retention of certain AML records in the U.S.), ePrivacy/telecom retention rules where applicable, and local statute-of-limitations and recordkeeping laws. 2. Definitions - Registration Data: Information collected to create and maintain an account or profile (e.g., name, contact details, credentials, device identifiers, basic demographics, communication preferences). - KYC/CDD Data: Identity verification data and records collected to satisfy AML/CTF obligations, including identity documents, verification outputs, risk assessments, sanctions/PEP screening results, beneficial ownership, and ongoing monitoring artifacts. - Relationship End: The later of (a) account closure/termination and (b) the last customer-initiated activity or financial transaction, unless otherwise defined by local law. - Anonymization: Irreversible de-identification such that individuals are no longer identifiable by any means reasonably likely to be used. - Legal Hold: Suspension of normal retention/destruction due to litigation, regulatory inquiry, or investigation. 3. Roles and Responsibilities - Data Protection Officer (DPO)/Privacy: Owns policy, validates regulatory alignment, approves exceptions. - AML Compliance: Confirms AML retention obligations and evidence requirements. - Data Owners/System Owners: Implement retention schedules and deletion controls within their systems. - Information Security: Ensures secure storage, encryption, access control, and secure disposal. - Procurement/Vendor Management: Ensures third-party contracts enforce equivalent retention and deletion obligations. - Engineering/IT Operations: Implements automation, logging, backup handling, and verification of deletion. 4. Legal and Regulatory Principles - Storage limitation: Retain personal data no longer than necessary for the stated purpose or as required by law. - AML precedence: Where AML laws require retention (commonly 5 years from Relationship End; some jurisdictions allow an additional period if necessary and proportionate), these requirements override routine deletion, subject to strict access controls. - CPRA transparency: Disclose retention periods (or criteria) by category of personal information in the privacy notice and avoid retaining longer than reasonably necessary. - Rights and exemptions: Honor data subject/consumer rights; where AML or legal obligations apply, deny or limit deletion/objection requests to the extent required, documenting the legal basis. 5. Data Categories, Purposes, and Retention Schedule Note: Periods below are defaults; apply stricter local rules where they exist. “Relationship End” is the default trigger for KYC retention. A. Registration Data - Account profile (name, email/phone, username, preferences, identifiers): - Retention: For the life of the account + 2 years after Relationship End. - Purpose: Account servicing, fraud prevention, dispute handling. - Rationale: Reasonably necessary for support and limitation periods; reduce if local statutes are shorter. - Disposal: Secure deletion or irreversible anonymization. - Authentication and access logs (login, MFA events, device/browser fingerprinting where applicable): - Retention: 12 months rolling; extend to 24 months for elevated-risk services or if required by security standards. - Purpose: Security monitoring, fraud prevention, incident response. - Disposal: Secure deletion. - Unverified/abandoned registrations: - Retention: 90 days from last activity; extend to 12 months if fraud signals are present. - Purpose: Account recovery assistance, abuse prevention. - Disposal: Secure deletion; retain only hashed identifiers if necessary for abuse prevention. B. KYC/CDD Data - Identity documents (passport/ID images, document numbers, proof of address): - Retention: 5 years after Relationship End (default AML baseline). Only extend beyond 5 years if explicitly required by local law/regulator and documented. - Purpose: Evidence of CDD/KYC compliance. - Disposal: Secure deletion; ensure redaction or destruction of images and document scans across all storage. - Verification outputs (liveness results, match scores, document authenticity results, verification timestamps): - Retention: 5 years after Relationship End. - Purpose: Demonstrate KYC control effectiveness to regulators/auditors. - Disposal: Secure deletion or retain minimally necessary metadata if mandated. - Biometric data used for KYC (face images, templates, liveness video): - Retention: Delete raw biometric images/videos immediately after verification or within 24 hours where immediate deletion is not technically feasible. Do not retain biometric templates unless strictly necessary and justified by law; if retained, limit to 5 years after Relationship End with heightened controls and conduct a DPIA. - Purpose: Identity verification. - Disposal: Secure deletion; ensure vendors also purge promptly. - Sanctions/PEP screening results and watchlist hits, including adverse media summaries: - Retention: 5 years after Relationship End; or 5 years from screening date for point-in-time screenings—whichever is later. - Purpose: AML/CTF compliance, audit trail. - Disposal: Secure deletion; retain minimal identifiers if needed to prevent re-onboarding of sanctioned parties as permitted by law. - Customer risk assessments and periodic KYC reviews (risk scores, rationale, reviewer notes): - Retention: 5 years after Relationship End. - Purpose: Ongoing due diligence evidence. - Disposal: Secure deletion. - Transaction monitoring alerts related to KYC/CDD and supporting documentation: - Retention: As per AML law; default 5 years from alert closure or filing date of related report. - Purpose: AML monitoring evidence. - Disposal: Secure deletion following AML retention expiry. - Suspicious activity/transaction reports (SAR/STR) and supporting records: - Retention: As required by applicable jurisdiction (commonly 5 years from filing). Do not disclose existence of SAR/STR to the customer. - Purpose: Legal compliance. - Disposal: Secure deletion after statutory period; retain legal hold if instructed by regulator/law enforcement. - Failed/denied KYC attempts (mismatches, fraud flags): - Retention: 1 year from final decision; extend up to 3 years where necessary for fraud prevention and allowed by local law. - Purpose: Prevent re-attempted fraud; audit trail. - Disposal: Secure deletion; document balancing test if relying on legitimate interests. C. Business Communications Related to Registration/KYC (emails, notices) - Retention: 2 years after Relationship End, or aligned to enterprise email retention policy if stricter. - Purpose: Evidence of notices and user communications. - Disposal: Secure deletion in line with enterprise records policy. 6. Triggers and Exceptions - Standard triggers: Relationship End; decision date for failed/denied KYC; last activity for abandoned registrations; closure date for monitoring alerts. - Legal holds: Suspend deletion immediately upon notice; document scope and duration; resume deletion once hold is lifted. - Extended retention: Only when (a) required by law or regulator, (b) necessary for establishment, exercise, or defense of legal claims, or (c) to investigate security incidents or fraud. Document justification and review every 12 months. 7. Data Minimization and Anonymization - Collect only data required for registration and AML/KYC purposes. - Prefer storing verification outcomes and minimal metadata over raw documents/biometrics. - Where analytics are needed, use anonymized or properly pseudonymized datasets with re-identification keys stored separately and for limited durations. 8. Security Controls for Retained Data - Encryption: Data at rest and in transit using industry-standard cryptography; manage keys via centralized KMS; rotate keys per policy. - Access: Role-based access control with least privilege; restrict KYC access to vetted AML personnel; multi-factor authentication; quarterly access reviews. - Logging: Immutable audit logs of access to KYC data; retain access logs for at least 12 months (24 months for high-risk environments). - Segmentation: Store KYC artifacts in segregated repositories with additional controls and limited egress. - Vendor controls: Require equivalent controls contractually; verify via audits or certifications. 9. Backups and Archival - Backups: Apply the same retention clock; upon deletion in production, data becomes logically inaccessible and is purged from backups per backup rotation (maximum backup retention 90 days unless law requires longer). - Archives: Avoid archival of raw KYC images; if archival is legally required, encrypt with restricted keys and record business justification and retention end date. 10. Third Parties and Cross-Border Transfers - Contracts: Data Processing Agreements must specify retention periods, deletion timelines after contract end (e.g., 30–90 days), and pass-through obligations to subprocessors. - Deletion SLAs: Vendors must complete deletion and provide a certificate of destruction upon request. - International transfers: Use approved transfer mechanisms (e.g., SCCs where applicable). Retention durations must not be extended due to transfer or vendor location. 11. Data Subject/Consumer Requests - Access/Portability: Provide records unless disclosure would breach AML secrecy or reveal SAR/STR existence. Redact third-party or investigative content as required. - Deletion: Deny or limit where retention is required by AML or legal obligations. Clearly communicate basis for denial and retention end date/criteria. - Restriction/Objection: Assess on a case-by-case basis; where processing is based on legitimate interests (e.g., fraud prevention for denied KYC), document a balancing test. 12. Governance, Documentation, and Review - Records of Processing: Maintain a ROPA entry covering registration and KYC, including retention periods and legal bases. - DPIA: Conduct and maintain a DPIA for KYC (especially if biometrics or automated decisioning are used). - CPRA Disclosure: Publish category-level retention periods or criteria in the privacy notice and consent flows. - Review Cycle: Annual review by Privacy and AML Compliance, or sooner upon regulatory changes or new processing activities. - Metrics: Track deletion success rates, overdue records, and exceptions; report quarterly to the privacy/AML steering committee. 13. Disposal Methods - Electronic data: Cryptographic erasure or secure overwrite consistent with NIST SP 800-88 or equivalent. - Physical media: Shredding, degaussing, or certified destruction. - Verification: Maintain deletion logs and certificates of destruction for regulators/auditors; sample-based verification of vendor deletions. 14. Regional Notes (Guidance) - EU/EEA/UK: Retain CDD/KYC records for 5 years after Relationship End as a baseline; extension beyond 5 years requires legal basis under local AML law and necessity/proportionality assessment. Apply GDPR Article 17 exemptions for legal obligations and legal claims. - U.S.: Financial institutions should align with federal AML recordkeeping (e.g., many AML records for 5 years) and applicable state statutes. CCPA/CPRA requires disclosure of retention periods and prohibits retaining longer than reasonably necessary. - Other jurisdictions: Where local AML rules specify different periods, that period supersedes the baseline. Record jurisdiction-specific deviations in the retention register. 15. Default Retention Summary (high level) - Registration profiles: Life of account + 2 years - Auth/security logs: 12 months (up to 24 months for high risk) - Unverified accounts: 90 days (up to 12 months if fraud risk) - KYC images/docs/outputs/risk assessments/screening logs: 5 years after Relationship End - Transaction monitoring alerts and related evidence: 5 years after closure - SAR/STR and supporting documentation: Per local law (commonly 5 years from filing) - Failed/denied KYC: 1 year (up to 3 years if needed for fraud prevention) - Biometric raw data: Immediate deletion or within 24 hours after verification Implementation Notes - Configure retention timers at record level with event-driven triggers (account closure, KYC decision, alert closure). - Use immutable metadata to store retention end dates and prevent premature deletion. - Ensure consistent deletion across primary databases, data lakes, caches, search indexes, file stores, and vendor systems. - Prevent analytical systems from extending retention inadvertently; enforce automated purges and anonymization jobs. - Maintain a centralized retention register mapping each data store to the above categories and retention periods. This policy establishes compliant defaults and controls for registration and KYC data. Where local law mandates different durations or handling, document the variance and ensure technical enforcement within affected systems.
数据保留政策(日志与备份) 1. 目的与适用范围 - 目的:规范组织对日志数据与备份数据的收集、保存、访问与销毁,确保在合规与安全要求下实现业务连续性与事件调查能力,同时遵循数据最小化与存储限制原则。 - 适用范围:适用于组织内所有生产与非生产环境的日志与备份数据,包括本地与云环境、第三方托管服务与内部系统。 - 数据性质:日志与备份可能包含个人数据(如IP地址、用户标识符、设备标识、时间戳、访问记录、交易元数据等)。政策对含个人数据的处理具有同等约束。 2. 合规原则与依据 - 存储限制与数据最小化: - GDPR:仅在实现目的所必需的期间内保存(Art. 5(1)(c)、5(1)(e));采取适当技术与组织措施保障安全(Art. 32);隐私保护设计与默认(Art. 25);具备合法基础(Art. 6)。 - CCPA/CPRA:仅在实现披露目的的合理必要期限内保留;在隐私声明中告知各类个人信息的保留期限或确定方法;过期后不得继续保留或使用超出目的的范围。 - 信息主体权利: - 在活跃数据中支持访问、纠正与删除(GDPR Art. 15–17;CCPA删除权)。备份中不逐项修改,但须确保恢复后立即同步删除或屏蔽,且不得将备份用于与原目的不一致的处理。 - 账务/行业要求(如适用):例如PCI DSS一般要求审计日志至少保留一年并确保三个月可即时检索;特定行业(金融、医疗、公共部门)可能有更长法定保留期,应在本政策的例外机制中加以登记与证明。 3. 角色与职责 - 数据保护官(DPO):监督合规、审查保留周期与隐私影响。 - 信息安全负责人(CISO/SecOps):实施技术控制、日志管线配置、备份加密与密钥管理。 - 系统所有者:定义业务目的与保留需求,按最小化原则配置日志级别。 - 法务与合规:评估法规要求与诉讼保全(Legal Hold)。 - 运维与数据工程:执行保留与销毁计划、审计与报告。 - 供应商/处理者:按照合同与DPA履行保留与销毁义务并提供证明。 4. 日志分类与保留周期(基线) 说明:以下为默认基线,用于在无更高法定或合同要求时执行。具体系统如涉及欺诈调查、财务审计或监管义务,可在“例外与保全”中延长并备案。所有周期以事件生成时间为起点。 - 安全事件与SIEM汇总(IDS/IPS、EDR、DLP、WAF、异常行为):12–18个月;用途为威胁狩猎、入侵调查与合规审计。 - 身份与访问日志(SSO/IAM、MFA、权限变更、会话活动):12个月;对溯源与违规调查必要。 - 数据库审计与特权操作日志(DDL/DML审计、管理员操作):18–24个月;对数据完整性与高风险访问可延长。 - 应用与API网关日志(请求元数据、错误码、性能指标;避免含业务敏感负载):90–180天;支持故障定位与容量规划。含个人数据字段应尽量缩短至90天或进行脱敏。 - 系统与基础设施日志(操作系统、容器/编排、存储与计算节点):90天;可按安全需要延长至180天。 - 网络与边界日志(防火墙、VPC Flow、负载均衡、DNS):180天;用于流量分析与异常定位。 - 云服务活动日志(例如云审计/访问踪迹):12个月;遵循云提供方保留能力与成本优化。 - 邮件与消息网关日志(投递与安全事件元数据):180天;不记录邮件正文与敏感内容。 - 监控与告警历史(指标、阈值触发记录):180天;与安全事件相关部分按安全事件周期保留。 数据最小化与敏感抑制: - 禁止在日志中记录密码、完整支付卡号、完整身份证号、健康信息正文、自由文本中的个人敏感信息。 - 对可识别标识使用哈希/标记化;仅在必要时保留原值,并限制访问。 - 采用结构化日志,按字段控制保留与脱敏,便于选择性清除与压缩。 5. 备份策略与保留周期 适用对象:数据库、文件存储、配置与关键系统镜像,以及日志归档。 目标:在满足RPO/RTO的前提下,遵循存储限制原则;备份仅用于灾难恢复与业务连续性,不作二次分析。 - 备份层级与周期(通用基线): - 日常增量:保留30天。 - 每周完整备份:保留12周。 - 每月完整备份:保留12个月。 - 年度归档:仅对存在法定或合同要求的系统启用,保留最长7年;其他系统不启用年度长期归档。 - 保留与删除一致性: - 备份中的个人数据保留期限不得超过源系统的最长法定保留期。 - 当活跃数据到达删除期限,标记为“不可恢复/需删除”。恢复时必须执行同步删除流程,且不得为满足删除请求而单独解压或检索备份。 - 技术控制: - 加密:备份静态加密(例如AES-256),传输加密(TLS 1.2及以上);密钥在KMS/HSM管理,定期轮换。 - 完整性与不可篡改:对关键审计备份采用不可变存储/写一次读多次(如行业要求),并记录校验和。 - 分区与地域:按数据驻留与跨境传输要求进行地域隔离;跨境存储需具备合法机制(如SCC、合同保障)。 - 访问控制:基于角色的最小权限、双人审批与MFA;对突破口(break-glass)访问进行事后审计。 - 恢复演练:至少每半年验证恢复流程与删除同步机制;记录RTO/RPO达成情况。 6. 删除与销毁 - 日志: - 到期后自动执行删除;采用安全擦除或覆盖机制,确保不可恢复。 - 对集中式日志平台(如对象存储归档)启用生命周期规则(TTL),并验证索引与副本同步删除。 - 备份: - 到期后按备份层级批量销毁;云对象存储删除后不保留早期版本;磁带与离线介质遵循物理销毁或认证数据擦除。 - 例外:因调查、审计或监管要求可临时延长;需建立Legal Hold工单,注明范围、依据与期限;解除后立即执行延期数据的销毁。 7. 数据主体请求与隐私声明 - 在隐私声明中明确各类数据(含日志中可能包含的个人数据)的保留期限或确定方法(例如“按安全需要保留不超过12个月”)。 - 删除请求处理: - 活跃系统:按法定时限删除或匿名化。 - 备份:不对备份逐项删除;承诺不对备份进行超出恢复目的的处理;发生恢复时,自动应用活跃系统的删除标记/黑名单,确保一经恢复立即删除相关记录。 - 访问请求:如在日志中检索个人数据成本不成比例且风险较高,可在合法范围内提供摘要与类别说明,并评估对他人数据与安全的影响。 8. 供应商与跨境要求 - 与云/日志服务供应商签署数据处理协议(DPA),明确保留、删除、地域与审计条款。 - 供应商需支持: - 生命周期管理(TTL)、删除证明与日志导出。 - 加密与密钥托管选项。 - 地域选择与跨境合规机制。 - 定期评估供应商合规证据(如ISO 27001、SOC 2报告)。 9. 审计与监控 - 保留控制审计:每年审查保留配置、删除日志、访问记录与例外登记。 - 持续监控: - 监测超期数据与失败删除任务。 - 校验采集的日志字段是否符合最小化与脱敏策略。 - 报告与问责:记录保留与销毁事件;对异常与违规进行根因分析与改进。 10. 变更管理与评审 - 本政策由DPO与CISO共同维护;至少每年评审一次或在法规/业务变更时更新。 - 重大变更(保留周期、跨境策略、备份地点)需法务与合规批准,并更新隐私声明与数据目录。 11. 实施指南(工程与运维要点) - 在日志管线中实施字段级脱敏、秘密屏蔽(token/密码/API密钥)、PII标记与可选采样。 - 使用结构化日志(JSON)以支持字段TTL与选择性压缩/裁剪。 - 为高风险类目(特权访问、数据库审计)单独存储与更长保留,并限制可视化与导出权限。 - 为包含个人数据的索引启用“软删除标记”与到期自动清除,避免冷存储与索引残留。 - 在备份恢复流程中集成“删除同步模块”,确保恢复后立即清除已过期或被请求删除的数据。 12. 例外与保全规则 - 触发条件:监管调查、诉讼保全、重大安全事件。 - 要求:创建保全记录,定义范围、期限与法律依据;限制访问与用途;到期后执行销毁。 - 记录:保全开始/结束时间、涉及系统与数据类别、审批人。 附注 - 保留周期为基线建议,应在数据目录与处理记录(GDPR Art. 30)中针对具体处理活动与系统进行登记与差异化管理。 - 如适用特定行业或地区法律(如税务、医疗或金融监管),以更严格要求为准并在例外中备案。 本政策自发布之日起生效;所有相关人员与供应商应在30日内完成配置校验与合规确认。
快速产出针对不同地区的保留政策与条款说明,拉通业务与技术,准备审计材料与证据包,缩短合规评审周期,降低被罚与诉讼风险。
依据业务场景生成保留表、数据地图与删除计划,输出DPIA摘要和整改优先级,统一口径答复客户尽调与监管问询。
将政策转化为可执行的分类、标签与到期提醒,覆盖日志、备份、测试数据等,落实定期清理与匿名化,减少存储与泄露风险。
在立项与上线阶段一键获取合规要求与保留期限,生成实施清单与沟通脚本,减少返工和跨部门拉扯,确保如期发布。
为供应商合同加入数据保留与删除条款模板,明确交付与验收标准,管理第三方数据最小化与到期处理,降低外包合规成本。
用少量时间搭建可被客户信任的合规底座,快速生成多语言政策页面与内部流程,提升销售赢单率与市场准入速度。
帮助法务合规、数据治理、信息安全与业务负责人,用更少的时间生成更专业的数据保留政策。围绕具体的数据类型或业务线,快速产出结构化、可审计、可落地的政策文本,明确保留周期、适用法规依据、存储与删除流程、法律保全例外、跨境传输注意事项与职责分工。通过一键指定数据/业务和输出语言,获得符合GDPR、CCPA及本地法规的定制化政策,降低合规风险、提升客户与合作方信任,并在内审、外部审计、招投标与客户尽调中高效应对。
将模板生成的提示词复制粘贴到您常用的 Chat 应用(如 ChatGPT、Claude 等),即可直接对话使用,无需额外开发。适合个人快速体验和轻量使用场景。
把提示词模板转化为 API,您的程序可任意修改模板参数,通过接口直接调用,轻松实现自动化与批量处理。适合开发者集成与业务系统嵌入。
在 MCP client 中配置对应的 server 地址,让您的 AI 应用自动调用提示词模板。适合高级用户和团队协作,让提示词在不同 AI 工具间无缝衔接。
免费获取高级提示词-优惠即将到期
