Company Name: Ashakiran Constructions PVT. LTD.
Effective Date: [14. 11. 2025]
Last Reviewed: [14. 11. 2025]
Policy Version: 1.0
1. Purpose
This policy is established to ensure that Ashakiran Constructions PVT. LTD. (hence forth referred to as Ashakiran Constructions) retains only necessary data for business operations, legal compliance, and regulatory requirements, and securely disposes of data that is no longer needed. This prevents data hoarding, reduces security risks, optimises storage costs, and ensures compliance with the storage limitation principle of the DPDP Act.
2. Scope
This policy applies to all data and records of Ashakiran Constructions, in both physical (hard copy documents) and electronic formats (emails, databases, system logs, website data, backups, etc.), wherever they are stored (on-premises, cloud, or employee devices).
3. Guiding Principles
Ashakiran Constructions adheres to the following principles:
-
- Lawfulness and Purpose Limitation: Data is collected for specific, explicit, and lawful purposes only.
-
- Data Minimisation: Only data that is necessary for the stated purpose is collected and retained.
-
- Storage Limitation: Data is not kept longer than necessary to fulfil the purpose for which it was collected or to comply with a legal obligation.
-
- Integrity and Confidentiality: Appropriate security measures (e.g., encryption, access controls) are in place to protect data against unauthorised access, alteration, or loss.
-
- Transparency and Accountability: The company maintains records of processing activities and data principals are informed about data handling practices and their rights.
4. Roles and Responsibilities
-
- Board of Directors/Senior Management:Final approval and oversight of the policy.
-
- Data Protection Officer (DPO)/Compliance Officer: Responsible for administering the policy, overseeing implementation, supervising data destruction, and advising on legal requirements.
-
- IT Department: Responsible for secure storage, implementing technical data deletion procedures, managing backups, and ensuring data security.
-
- Department Heads/Data Owners:Responsible for determining the value and significance of data within their departments and ensuring data is managed according to the retention schedule.
-
- All Employees: Obligated to comply with this policy and follow procedures for handling and disposing of data.
5. Data Retention Schedule
The following table outlines the minimum and maximum retention periods for various data categories, based on business needs and Indian legal requirements.
| Data Category | Examples of Data | Retention Period | Governing Law/Reason |
|---|---|---|---|
| Corporate/Legal Records | Minutes of board meetings, company registers, statutory records, certificates of incorporation | Permanently (or at least 10 years as per Companies Act) | Companies Act, 2013 |
| Financial/Tax Records | Invoices, receipts, bank statements, balance sheets, tax returns | 8 years from the end of the relevant assessment year/transaction | Income Tax Act, 1961; CGST Act, 2017 |
| Property/Transaction Data | Sale/purchase agreements, lease deeds, ownership records, title documents | Permanently (physical originals); 12 years (electronic copies for potential disputes) | Legal necessity for property ownership verification/litigation limitation periods |
| Customer/Prospect Personal Data | Names, contact details, property preferences | 3 years from the last interaction or until consent is withdrawn | DPDP Act (Purpose limitation) |
| KYC and Due Diligence Data | PAN, Aadhaar, passport copies | 5 years after the business relationship ends | Prevention of Money Laundering Act & Rules |
| Employee/HR Records | Payroll data, contracts, timesheets, leave records, performance reviews | 8 years after termination of employment (statutory); 6 years for general records | Relevant Indian Labour Laws, Tax Laws |
| Website/IT Logs | IP addresses, system logs, access logs | 1 year (for cybersecurity incident reporting) | CERT-In Directions; Business need |
| Marketing/Communication Data | Email correspondence, call recordings (with consent), opt-in/opt-out lists | 3 years from last contact or indefinitely for suppression lists | DPDP Act; Business need |
6. Data Storage, Back-up, and Destruction
-
- Storage: Data will be stored securely, using access controls and encryption where appropriate, in a manner that ensures availability when needed and protection from unauthorised access.
-
- Back-up: Critical business data and documents will be backed up regularly and stored off-site or in a secure cloud environment. Backup data will also adhere to retention periods; however, data deletion from backups may follow a specific schedule (e.g., 3 months for short-term backups).
-
- Destruction: Data that has reached its retention limit will be securely destroyed. Hard copies will be shredded; electronic data will be permanently deleted using secure, unrecoverable methods coordinated by the IT department. The DPO will supervise this process.
-
- Litigation Hold: Data destruction must cease immediately upon notification from the legal department that a “litigation hold” is in effect due to a potential or actual legal claim, investigation, or audit. Relevant data will be preserved until the hold is lifted.
7. Policy Review and Compliance
This policy will be reviewed and updated at least annually, or as required by changes in Indian law (including the final DPDP Rules) or business needs. Compliance with this policy will be monitored through internal audits.
This policy is a template and requires review by Ashakiran Constructions’ legal counsel to ensure it is tailored to specific business operations and fully compliant with all applicable laws in India