This Data Retention Policy sets out the framework by which Global Community Transformation (GCT) manages the retention, storage, and secure deletion of personal data collected in the course of its institutional operations. It applies to all personal data held by GCT in connection with membership, events, volunteering, website usage, and governance activities.
This Policy is read in conjunction with GCT's Privacy Policy and supports GCT's compliance obligations under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven) 2018.
GCT's data retention practices are governed by the following legal instruments, reflecting GCT's status as both a Norwegian-registered institution and an intercontinental organisation operating across multiple jurisdictions:
- GDPR Article 5(1)(e): Data must not be kept in a form that permits identification of data subjects for longer than necessary for the purposes for which it is processed.
- GDPR Article 17: The right to erasure, subject to applicable exceptions including legal retention obligations.
- GDPR Chapter V: Governing international transfers of personal data outside the EEA, including Standard Contractual Clauses where applicable.
- Norwegian Personal Data Act (Personopplysningsloven) 2018: Implements GDPR into Norwegian law and governs GCT's obligations as a registered Norwegian organisation.
- Norwegian Accounting Act (Regnskapsloven): Requires financial records to be retained for a minimum of five years, with certain categories retained for seven years.
- EEA Agreement: Ensures that GCT's data governance standards apply consistently across all European Economic Area member states.
- Applicable national legislation: GCT acknowledges and respects the data protection laws of all countries in which its members, volunteers, and partners are based, including but not limited to jurisdictions in Africa, Asia, the Americas, and Oceania, and will apply appropriate safeguards accordingly.
Membership Records
- Active membership records, including application data, membership tier, contact details, and renewal history, are retained for the full duration of membership and for five years following membership lapse, in accordance with GCT's institutional governance requirements.
- Unsuccessful membership applications are retained for twelve months from the date of the decision and then securely deleted.
Financial Records
- Payment records and membership contribution documentation are retained for seven years in compliance with Norwegian accounting and tax legislation.
- Financial records are stored securely and accessible only to authorised GCT governance personnel.
Website & Digital Data
- Website analytics data is collected in anonymised form and retained for a maximum of twenty-six months, after which it is deleted or further anonymised.
- Contact form submissions are retained for twenty-four months and then securely deleted unless an ongoing relationship exists.
- Cookie consent records are retained for twelve months from the date of consent.
Events & Volunteers
- Event participation records are retained for three years following the event date.
- Volunteer records, including availability and role preferences, are retained for five years following the conclusion of the volunteer engagement.
- Photographs and recordings taken at GCT events, where consent has been obtained, are retained for the institutional archive unless a withdrawal of consent is received.
Governance Records
- Internal governance communications, board resolutions, and proceedings are retained for ten years in accordance with institutional governance standards.
- Disciplinary records related to membership breaches are retained for five years following the conclusion of the matter.
Upon expiry of the applicable retention period, GCT will take one of the following actions with respect to personal data:
- Secure deletion: Personal data is permanently and irreversibly deleted from all GCT systems and storage platforms.
- Anonymisation: Where data retains analytical or institutional value, it is anonymised such that no individual can be identified, and the anonymised data is no longer subject to GDPR requirements.
GCT reviews its data holdings on an annual basis to ensure that no personal data is retained beyond its applicable period. Any data identified as overdue for deletion is actioned within thirty days of the review.
All personal data retained by GCT is stored securely in accordance with GDPR requirements. The following principles apply regardless of platform:
- Access to personal data is restricted to authorised GCT personnel on a need-to-know basis.
- All third-party platforms and service providers used to store GCT data must be GDPR-compliant and bound by a data processing agreement with GCT.
- Personal data is not stored on personal devices or unsecured platforms without explicit authorisation from the GCT Secretariat.
- In the event of a data breach, GCT will notify the Norwegian Data Protection Authority (Datatilsynet) within seventy-two hours and affected data subjects without undue delay, in accordance with GDPR Articles 33 and 34.
In accordance with GCT's Privacy Policy and GDPR, members and data subjects retain full rights in relation to their personal data during the applicable retention period, including the right to access, rectify, restrict, and, subject to legal retention obligations, request deletion of their data.
To exercise any data rights, please contact GCT through the Contact page at www.gct-int.org. GCT will respond within thirty calendar days in accordance with GDPR requirements.
This Data Retention Policy is reviewed annually by the GCT Secretariat and updated as necessary to reflect changes in legal requirements, institutional operations, or data management practices. The effective date displayed at the top of this page reflects the most recent review.
All substantive changes to this Policy will be communicated to GCT members and relevant stakeholders. Continued membership of GCT following notification of any update constitutes acceptance of the revised Policy.
For any questions regarding this Policy, please contact the GCT Secretariat at secretariat@gct-int.org