Data Deletion Policy

1. Introduction
This Data Deletion Policy outlines the procedures and guidelines for the secure and timely
deletion of customer data in compliance with the General Data Protection Regulation
(GDPR). The policy ensures that data is retained only for the necessary period and is
deleted promptly when it is no longer required for the purposes for which it was collected.

2. Scope
This policy applies to all employees, contractors, and third-party vendors who have access
to customer data within Login.

3. Definitions
Personal Data: Any information related to an identified or identifiable natural person.
Data Subject: An identifiable individual to whom the personal data relates.

4. Data Classification
Customer data shall be classified based on its sensitivity, with specific attention to personal
data under the GDPR.

5. Data Retention Periods
Customer data will be retained for a period of three months after the formal end of the
contract between the customer and Login.

See Attachement A for a detailed list of retention periods per data category.

6. Data Deletion Procedures
Customer data will be securely and permanently deleted from all systems and databases
within three months of the formal termination of the contract.

Data deletion will be carried out using industry-standard methods to ensure irreversibility.

7. Data Subject Rights
Data subjects have the right to request the deletion of their personal data. Additionally:
Upon request, Login is obligated to provide data subjects with an export of
their data in a commonly used and machine-readable format, facilitating compliance with
other legislation.

If providing a data export is not feasible, Login may offer a look-up license for
a defined time to allow the data subject to access their data. In such cases, a customer
contract and a data processing agreement must be signed to formalize the continued
processing of the data during the specified period.

8. Review and Audit
Regular reviews and audits will be conducted to ensure compliance with this data deletion
policy. The data protection officer is responsible for overseeing these activities.

9. Employee Training
Employees will receive training on data deletion procedures and the importance of
compliance with the GDPR.

10. Legal and Regulatory Compliance
This policy is designed to comply with the GDPR and other relevant data protection laws.

11. Communication
This policy will be communicated to all relevant stakeholders, and any updates will be
promptly shared.

12. Updates and Revisions
This policy will be reviewed periodically and updated as necessary to ensure ongoing
compliance with applicable laws and regulations.