This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Timewax B.V.
This Policy applies to all business units, processes and systems in all countries in which Timewax B.V. conducts business and has dealings or other business relationships with third parties.
This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.
This policy applies to all information used at Timewax B.V. Examples of documents include:
In the event, for any category of document not specifically defined elsewhere in this Policy (and in particular within Annex I) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 3 years from the date of creation of the document.
The Chief Information Security Officer defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.
As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:
The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to the Chief Information Security Officer.
Timewax B.V. and its employees should therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the retention schedule. Overall responsibility for the destruction of data falls to Chief Information Security Officer.
Once the decision is made to dispose according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.
In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Chief Information Security Officer subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and Timewax B.V.’s General Personal Data Protection Policy shall be complied with.
Appropriate controls shall be in place that prevent the permanent loss of essential information of Timewax B.V. as a result of malicious or unintentional destruction of information – these controls are described in the Information Security Policy.
The Chief Information Security Officer shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
The person appointed with responsibility for Data Protection (Chief Information Security Officer) has the responsibility to ensure that each of Timewax B.V.’s offices complies with this Policy. It is also the responsibility of the Chief Information Security Officer to assist any local office with enquiries from any local data protection or governmental authority.
Any suspicion of a breach of this Policy must be reported immediately to the Chief Information Security Officer. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to Timewax B.V.’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.