data retention policy

Purpose, Scope and Users

Phase One SA, hereinafter referred to as the "Company", strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.

This policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal of data subjects within EEA.

The uses of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.

Reference Documents

EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

  • Employee Personal Data Protection Policy

  • Data Retention Policy

  • Data Protection Officer Job Description

  • Guidelines for Data Inventory and Processing Activities

  • Data Subject Access Request Procedure

  • Data Protection Impact Assessment Guidelines

  • Cross Border Personal Data Transfer Procedure

  • IT Security Policy

  • Security Procedures for IT Department

  • Mobile Device and Teleworking Policy

  • Clear Desk and Clear Screen Policy

  • Breach Notification Procedure

Definitions

The following definitions of terms used in this document are drawn from Article 4 of the European Union's General Data Protection Regulation:

Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

 

Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

 

Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

 

Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

 

Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.

 

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.

 

Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

 

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;

 

Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;

 

Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.

 

“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; “Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

 

Group Undertaking: Any holding company together with its subsidiary.

Basic Principles Regarding Personal Data Processing

xxxxxxx

Building Data Protection in Business Activities

xxxxxxx

Fair Processing Guidelines

xxxxxxxx

Organization and Responsibilities

xxxxxx

Purpose, Scope and Users

This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Phase One SA (the “Company”).

This Policy applies to all business units, processes and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.

This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.

 

This policy applies to all information used at the Company. Examples of documents include:

  • Emails

  • Hard copy documents

  • Soft copy documents

  • Video and audio

  • Data generated by physical access control systems

Reference Documents

  • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

  • Personal Data Protection Policy

Retention Rules

Retention General Principle

In the event, for any category of documents not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 10 years from the date of creation of the document.

 

Retention General Schedule

 

Data Protection Officer defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.

 

As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:

  • Ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements;or

  • When exercising legal rights in cases of law suits or similar court proceeding recognized under local law.

 

Safeguarding of Data during Retention Period

 

The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to DPO.

 

Destruction of Data

 

The Company and its employees should therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the retention schedule. Overall responsibility for the destruction of data falls to DPO.

 

Once the decision is made to dispose according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.

In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that DPO subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and the Company’s Personal Data Protection Policy shall be complied with.

 

Appropriate controls shall be in place that prevent the permanent loss of essential information of the company as a result of malicious or unintentional destruction of information – these controls are described in information security policies.

 

IT Manager shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.

 

Breach, Enforcement and Compliance

 

The person appointed with responsibility for Data Protection DPO has the responsibility to ensure that each of the Company’s offices complies with this Policy. It is also the responsibility of the DPO to assist any local office with enquiries from any local data protection or governmental authority.

 

Any suspicion of a breach of this Policy must be reported immediately to DPO All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.

 

Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

Document Disposal

Routine Disposal Schedule

Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:

  • Announcements and notices of day-to-day meetings and other events including acceptances and apologies;

  • Requests for ordinary information such as travel directions;

  • Reservations for internal meetings without charges / external costs;

  • Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value;

  • Message slips;

  • Superseded address list, distribution lists etc.;

  • Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files;

  • Stock in-house publications which are obsolete or superseded; and

  • Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.

 

In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.

 

Destruction Method

 

Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.

 

Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.

 

Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.

Managing Records Kept on the Basis of this Document

Data Retention Schedule

Storage location: Data Protection Officer's private file storage area

Person responsible for storage: DPO

Controls for record protection: Only authorized persons may access this document

Retention time: Permanently

Validity and document management

This document is valid as of 02-December-2019

Version 1.1

Appendices

Appendix - Data Retention Schedule

Payroll Records

Mandated retention period: Seven years after audit

Record owner: HR department

Supplier contracts

Mandated retention period: Seven years after contract is terminated

Record owner: Sales department

ERP/CRM Records

Mandated retention period: From contract expiration

Record owner: Sales department

PRO Records

Mandated retention period: 1 year after visa expiration for electronic copies. Immediately after intended use for paper copies.

Record owner: PRO

HR Records

Mandated retention period: Sensitive information deleted 1 year after termination/resignation, full record deleted after 7 years.

Record owner: HR department