Data Retention Policy - May 25th, 2018
In accordance with the GDPR as of May 25th, 2018.

Recovery Emporium, Inc.


DATA RETENTION POLICY


Document Ref.

GDPR-1

Version:

1

Dated:

25 May 2018

Document Author:

Matthew James

Document Owner:

Recovery Emporium, Inc



Revision History

Version

Date

Revision Author

Summary of Changes

1

05/25/2018

Matthew James

Revision of Privacy Policy and Addition of Data Retention Policy

2 05/25/2019 Matthew James Quality Control Update Completed


Distribution

Name

Title

Matthew James

Data Protection Officer


1.) Introduction

This document indicates the Data Retention Policy of the Recovery Emporium, Inc. In this document the user will find the exact policies for data protection and data security used by the Recovery Emporium on all entity properties including but not limited to the following:
E-commerce, social media, and informational sites.

This Policy is intended to be used to strictly maintain a set of up-to-date and legitimate data that is accepted to be stored according to the GDPR Directive. The need to retain data varies widely with the type of data. Some data can be immediately deleted, and some must be retained until the reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the Recovery Emporium’s guidelines on retention are consistently applied throughout the organization. This policy is intended to protect the security and integrity of Recovery Emporium’s data and technology infrastructure.
An international organization is defined by the GDPR as “an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR Article 4).

The intention of the GDPR is to protect the personal data of EU citizens wherever it is held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal.
The penalties for contravening the GDPR are significant and care must be taken by Recovery Emporium to ensure that we remain within the law at all times.
This Policy should be considered in conjunction with other Personal Data Policy documents, such as the following:

· Privacy Policy - Cookie Policy
· Terms and Conditions
Questions, comments, and/or concerns please contact:

Amy M Hoffman, Data Protection Officer
Recovery Emporium - 1-888-798-3496




2.) Scope, Purpose, and Users

This Policy provides general principles and approach models to the need to retain data varies widely with the type of data. This retention policy is important to ensure that the Recovery Emporium’s guidelines on retention are consistently applied throughout the organization. The scope of this policy covers all Recovery Emporium data stored on Recovery Emporium-owned, Recovery Emporium-leased, and otherwise Recovery Emporium-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry regulations and will comply with EU General Data Protection Regulation GDPR and the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003. Where this policy differs from applicable regulations, the policy specified in the regulations will apply. The purpose of this policy is to specify the Recovery Emporium's guidelines for retaining different types of data.

3.) Policy Information

a.) Reasons for Data Retention

The Recovery Emporium does not wish to simply adopt a "save everything" approach.
Some data, however, must be retained to protect the Recovery Emporium's interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
• Litigation
• Accident investigation
• Security incident investigation
• Regulatory requirements
• Intellectual property preservation

b.) Data Duplication

As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user's machine, on a central file server, and again on a backup system. When identifying and classifying the Recovery Emporium's data, it is important to also understand where that data may be stored, particularly for duplicate copies, so that this policy may be applied to all duplicates of the information.

c.) Retention Requirements

This section sets guidelines for retaining the different types of Recovery Emporium data.

Personal customer data: Personal data will be held for as long as the individual is a customer of the Recovery Emporium plus 6 years.
Personal employee data: General employee data will be held for the duration of employment and then for 6 years after the last day of contractual employment. Employee contracts will be held for 6 years after the last day of contractual employment.
• Tax payments will be held for six years.
• Records of leave will be held for three years.
Recruitment details: Interview notes of unsuccessful applicants will be held for 1 year after the interview.


This personal data will then be destroyed.

Planning data: 7 years.
Health and Safety: 7 years for records of major accidents and dangerous occurrences.
Public data: Public data will be retained for 3 years.
Operational data: Most Recovery Emporium data will fall in this category. Operational data will be retained for 5 years.
Critical data including Tax and VAT: Critical data must be retained for 6 years.
Confidential data: Confidential data must be retained for 7 years.

d.) Retention of Encrypted Data

If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained.

e.) Data Destruction

Data destruction is a critical component of a data retention policy. Data destruction ensures that the Recovery Emporium will use data efficiently thereby making data management and data retrieval more cost-effective. Exactly how certain data should be destroyed is covered in the Data Classification Policy.
When the retention timeframe expires, the Recovery Emporium must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the Recovery Emporium's management team.
The Recovery Emporium specifically directs users not to destroy data in violation of this policy. Destroying data that a user may feel is harmful to himself or herself is particularly forbidden, or destroying data in an attempt to cover up a violation of law or Recovery Emporium policy.
3.6 Applicability of Other Policies
This document is part of the Recovery Emporium's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

4.) Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of Recovery Emporium property (physical or intellectual) are suspected, the Recovery Emporium may report such activities to the applicable authorities.

5.) Definitions

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation (GDPR):
“Backup” To copy data to a second location, solely for the purpose of safekeeping of that data.
“Encryption” The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored.
“Encryption Key” An alphanumeric series of characters that enables data to be encrypted and decrypted.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation.
Controller” is the natural or legal person, public authority, agency, or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor” is a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of a Data Controller.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Supervisory Authority means an independent public authority that is established by a Member State pursuant to Article 51.


6.) Managing records kept on the basis of this document


Record name

Storage location

Person

responsible for storage

Controls for record

protection

Retention

time

Call lists &

substitution

Google drive of

Data breach response team leader

Data Breach

response team leader

Only authorized persons

can edit the files

Permanently

Contact details

Google drive of

Data breach response team leader

Data breach

response team leader

Only authorized persons

can edit the files

Permanently

Documented

decisions of the Data Breach Response Team

Google drive of

Data breach response team leader

Data breach

response team leader

Only Data Breach

Response Team leader can edit the files

5 years

Data breach

notifications

Google drive of

Data breach response team leader

Data breach

response team leader

Only Data Breach

Response Team leader can edit the files

5 years

Data Breach

Register

Google drive of

Data breach response team leader

Data Protection

Officer

Only Data Protection

Officer can edit the files

Permanently

Data Collected

Purpose

Preferences

To help us remember your settings and preferences, like your preferred language or the country you are in so that we can provide you with a more personalized experience.

Authentication and Security

To log you into the Services; enable us to show you your account data, and help us keep your data and the Services safe and secure.

Service Features and Performance

To provide you with functionality and optimize the performance of the Services.
For example, to keep track of products you add to your shopping cart on recoveryshop.com; allow you to share information from Recoveryshop.com with social networking services like Facebook or Twitter, and improve our website’s load speed and performance.

Analytics and Research

To help us understand how you are using the Services so that we can make them better, faster, and safer.

Advertising

To enable our partners to serve ads for our products and services; deliver relevant ads to people who may be interested in them on other services; measure the performance of ads, and opt you out of receiving interest-based ads if that is your choice.


7.)
To Opt-Out, Remove, or Modify Information Collected

How can you opt-out, remove or modify the information you have provided to us? To modify your e-mail subscriptions, please let us know by modifying your preferences in the "My Account" section. Please note that due to email production schedules you may receive any emails already in production. To delete all of your online account information from our database, sign into the "My Account" section of our site and remove your shipping addresses, billing addresses & payment information. Please note that we may maintain information about an individual sales transaction in order to service that transaction and for record-keeping.

8.) Third-Party Links

In an attempt to provide you with increased value, we may include third-party links on our site. These linked sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these linked sites (including if a specific link does not work).

9.) Changes to our Policy

If we decide to change our privacy policy, we will post those changes on this page. Policy changes will apply only to information collected after the date of the change.

This policy was last modified on August 6, 2017.

Please contact us for a copy of a previous policy. Ask for Data Protection Officer.

10.) Validity and Document Management






The owner of this document is the Data Protection Officer who must check and, if necessary, update the document at least once a year.

Data Protection Officer

05/25/2021