Data Policy

Data Retention Policy (UK GDPR, EU GDPR, DPA 2018)

1.    ABOUT THIS POLICY


1.1.    Corporate information
The corporate information, records and data of Zepic Limited [and our subsidiaries] is important to how we conduct business and manage employees.
1.2.    Data retention
We have legal and regulatory requirements to retain certain data, usually for a specified amount of time. We also retain data for business purposes, such as to operate our business and to have information available when we need it. However, we may not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
1.3.    Data retention
This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal. 
1.4.    Compliance risks
Failure to comply with this policy can lead to fines, penalties and adverse publicity. It can also make it difficult for us to provide evidence when we need it, and affect our ability to run our business.
1.5.    Employment policy
This policy is not a part of any employee's contract of employment and we may amend it at any time.


2.    SCOPE OF POLICY


2.1.    Data protection
This policy covers all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. This policy applies to both personal data and non-personal data. We refer to this information and these records collectively as "data".
2.2.    Data protection
This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by employees on personal devices.
2.3.    Data classification
This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data and non-personal data. It also gives guidance on how we classify our data.
2.4.    Business units
This policy applies to [[all board game events that Zepic Limited ] OR all business units and functions] of Zepic Limited in the United Kingdom.
2.5.    [OTHER INFORMATION ABOUT SCOPE].


3.    GUIDING PRINCIPLES


3.1.    Data retention
Through this policy, and our data retention practices, we aim to meet the following commitments:
(a)    We comply with legal and regulatory requirements to retain data.
(b)    We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
(c)    We handle, store and dispose of data responsibly and securely.
(d)    We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason.
(e)    We allocate appropriate resources, roles and responsibilities to data retention.
(f)    We regularly remind employees of their data retention responsibilities.
(g)    We regularly monitor and audit compliance with this policy and update this policy when required.


4.    ROLES AND RESPONSIBILITIES


4.1.    Employee compliance
It is our policy to comply with the laws, rules and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions from the [Records Management Department OR Director] or [Legal Department OR Director]. Failure to do so may subject us, our employees, contractors and agents to serious civil or criminal liability. An employee's failure to comply with this policy may result in disciplinary sanctions including suspension or termination.
4.2.    Records management
[Records Management Department and Records Management Officer OR Director]. The [Records Management Department OR Director] is responsible for identifying the data that we must or should retain, and determining, in collaboration with the [Legal Department OR Director], the proper period of retention. It also arranges for the proper storage and retrieval of data, co-ordinating with outside vendors where appropriate. [Additionally, the [Records Management Department OR Director] handles the destruction of records whose retention period has expired.]
4.3.    Records management
We have designated Zoe-Estelle Collins as the Records Management Officer. The [Records Management Officer OR Director] is head of the [Records Management Department OR Director ] and is responsible for:
(a)    Administering the data management programme;
(b)    Helping department heads implement the data management programme and related best practices;
(c)    Planning, developing, and prescribing data disposal policies, systems, standards, and procedures; and
(d)    Providing guidance, training, monitoring and updating in relation to this policy.
4.4.    Data protection officer


Our Data Protection Officer (DPO) is responsible for advising on and monitoring our compliance with data protection laws which regulate personal data. Our DPO works with our [Records Management Department OR [Director] on the retention requirements for personal data and on monitoring compliance with this policy in relation to personal data.


5.    TYPES OF DATA AND DATA CLASSIFICATIONS


5.1.    Record retention
Formal or official records which are listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data.
5.2.    Disposable data
Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
(a)    Duplicates of originals that have not been annotated.
(b)    Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
(c)    Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Zepic Limited and retained primarily for reference purposes.
(d)    Spam and junk mail.
Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.
5.3.    Personal data
Personal data includes any information that could identify living individuals. Data protection laws require us to retain personal data only for as long as is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
5.4.    Confidential information belonging to others
Any confidential information that an employee may have obtained from a source outside of Zepic Limited, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us except as permitted in our [[CONFIDENTIALITY POLICY] OR [OTHER RELEVANT POLICY OR GUIDANCE]]. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted if received via the internet. Please see our [[CONFIDENTIALITY POLICY] OR [OTHER RELEVANT POLICY OR GUIDANCE]].
5.5.    Data classification
Some of our data is more confidential than other data. Our [[DATA CLASSIFICATION STANDARD] OR [OTHER RELEVANT POLICY OR GUIDANCE]] explains how we classify data and how each type of data should be marked and protected. When complying with this policy, it is also important that you follow our [[DATA CLASSIFICATION STANDARD] OR [OTHER RELEVANT POLICY OR GUIDANCE]] when marking and protecting data.


6.    RETENTION PERIODS


6.1.    Formal or official records
Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact [Records Management Officer OR Director] or [Legal Department OR Director.
6.2.    Disposable information
The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes and once it no longer has any business purpose or value it should be securely disposed of. [For guidance on how to make decisions on how long to retain disposable information, please see [FAQs OR [OTHER GUIDANCE OR WORKED EXAMPLES]].
6.3.    Storage limitation for personal data
As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where personal data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where personal data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data. More information can be found in our [[PRIVACY STANDARD] OR [OTHER RELEVANT POLICY]]. [For guidance on how to make decisions on how long to retain disposable information, please see [FAQS OR [OTHER GUIDANCE OR WORKED EXAMPLES]].
6.4.    Omit from schedule
If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there may be an omission in the Record Retention Schedule, or if you are unsure, please contact the Records Management Department OR Director.


7.    STORAGE, BACK-UP AND DISPOSAL OF DATA


7.1.    Data storage
Our data must be stored in a safe, secure, and accessible manner. Documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up at least once per week and maintained off site. [Please refer to our [BUSINESS CONTINUITY PLAN]].
7.2.    Data destruction
Our [Records Management Officer OR Director] is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling or erased if appropriate. The destruction of electronic data must be co-ordinated with [the IT Department OR Director].
7.3.    Stopping data destruction
Destruction of data must stop immediately upon notification from [the Legal Department OR Director] that preservation of documents for contemplated litigation is required. This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once [the Legal Department OR Director] lifts the requirement for preservation.


8.    SPECIAL CIRCUMSTANCES


8.1.    Record retention
This policy requires employees to comply with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or the Legal Department OR Director informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose of , destroy , or change those records including emails and other electronic documents until the Legal Department OR Director determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
8.2.    Exception questions
If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Legal Department.
8.3.    Data disposal
You may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

9.    WHERE TO GO FOR ADVICE AND QUESTIONS


9.1.    Questions about policy
Questions about retention periods relevant to your [function OR department] should be raised with your Manager OR the Director. Any questions about this policy should be referred to the data retention lead [(07964130034; zoepiper3@hotmail.com)], who is in charge of administering, enforcing and updating this policy.


10.    BREACH REPORTING AND AUDIT 


10.1.    Reporting policy breaches
We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on employees' willingness to report incidents. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with [RECORDS MANAGEMENT OFFICER OR MANAGER AT THE NEXT LEVEL ABOVE YOUR DIRECT SUPERVISOR OR Director]. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
10.2.    Protected activities
We will not subject any person to any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
10.3.    Audits and compliance
Our Director will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.


11.    OTHER RELEVANT POLICIES


11.1.    Other policies
This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:
(a)    IT and communications systems policy.
(b)    IT acceptable use policy.
(c)    Privacy standard OR Data protection policy.
(d)    Confidentiality policy.
(e)    Data classification policy.
(f)    Business continuity policy.
    And other IT, security, and data related policies, which are available on the intranet OR Coventry.
12.    [ACKNOWLEDGEMENT OF RECEIPT AND REVIEW
[I, _______________________ [EMPLOYEE NAME], acknowledge that on _____________________ [DATE], I received a copy of [EMPLOYER NAME]'s Data Retention Policy and that I read it, understood it, and agree to comply with it. This policy does not set terms or conditions of employment or form part of an employment contract. 
…………………………………………….
Signature
…………………………………………….
Printed name
……………………………………………
Date]]

 

SCHEDULES:


1.    [Schedule 1: DEFINITIONS]
    Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as "data".
    [Data Protection Officer: our Data Protection Officer who is responsible for advising on and monitoring compliance with data protection laws.]
    Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
    Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.
    Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as formal or official records or data.
    Non-personal data: data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.
    Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour. 
     [Records Management Department: the department responsible for identifying the data that we must or should retain, and determining, in collaboration with the [Legal Department OR Director], the proper period of retention. It also arranges for the proper storage and retrieval of data, co-ordinating with outside vendors where appropriate and handles the destruction of [some] records whose retention period has expired.]
    [Records Management Officer: the Records Management Officer is head of the Records Management Department and is responsible for administering the data management programme, helping department heads implement it and related best practices, planning, developing, and prescribing data disposal policies, systems, standards, and procedures and providing guidance, training, monitoring and updating in relation to this policy.]
    Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records. 
    Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.
2.    Schedule 2: RECORD RETENTION SCHEDULE
2.1.    Zepic Limited establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs. 
2.2.    Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Zepic Limited Data Retention Policy. 
2.3.    If you hold data not listed below, please refer to the Zepic Limited Data Retention Policy. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact Zoe-Estelle Collins.
2.4.    
TYPE OF DATA    RETENTION PERIOD    REASON / COMMENTS
[OVERARCHING CATEGORY] [for example [Recruitment records OR Payroll records OR Corporate records OR Supplier contracts]
[SUBCATEGORY] [for example [Application forms OR Expenses claims OR Board minutes OR Signed contracts]].    [RETENTION PERIOD] [for example [Six months after notifying candidates of the outcome of the recruitment exercise OR A minimum of three years after the end of the tax year to which they relate OR Seven years after employment ends OR A minimum of 3 years and a maximum of 5 years].     [INSERT REASON FOR RETENTION PERIOD] [for example [Section [NUMBER] [NAME OF ACT]] OR Regulatory guidance from [NAME OF REGULATOR] OR [BEST PRACTICE]].

 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details and accept the service to view the translations.