Data Retention and Destruction Policy

Effective date: July 5th 2021

Purpose

The purpose of this policy is to define the activities associated with the provision of data retention and destruction plans and programs that protect Cloud Orca Limited information systems, networks, data, databases, and other information assets. Additional policies governing data management activities will be addressed separately.

Scope

The scope of this data retention and destruction policy is all information technology systems, software, databases, applications, and network resources needed by Cloud Orca Limited to conduct its business. The policy is applicable to all Company employees, contractors, and other authorised third-party organisations.

Reference Documents & Compliance

This policy is designed to be compliant with:
• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC).
• Personal Data Protection Policy.

Data retention and destruction policy compliance is managed by the Cloud Orca Limited board of directors and subject matter experts and are updated within GDPR set standards.

Retention Policy

Retention General Principle

In the event, for any category of documents not specifically defined elsewhere in this Policy and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 5 years from the date of receipt.

Retention General Schedule

The Cloud Orca Limited board of directors defines the time period for which the documents and electronic records will be retained through the Data Retention Schedule.

As an exemption, retention periods can be prolonged in cases such as:

• Ongoing investigations from any legal entities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
• When exercising legal rights in cases of lawsuits or similar court proceeding recognised under UK law.

Safeguarding of Data During Retention Period

Where electronic storage is chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to Cloud Orca Limited.

Destruction of Data

The Company and its employees will, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. The retention period for any data with Cloud Orca Limited is 5 years from the date or receipt. Overall responsibility for the destruction of data falls to Cloud Orca Limited.

Once the decision is made to dispose according to the destruction method in point 8 of this document, the data will be deleted, shredded, or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies upon its sensitivity, which are categorized as outlined in point 8 of this document (destruction method).

In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Cloud Orca Limited board of directors’ subcontract for this purpose. Any applicable general provisions under relevant data protection laws and the Company’s Personal Data Protection Policy shall be complied with.

Appropriate controls shall be in place that prevents the permanent loss of essential information of the company as a result of malicious or unintentional destruction of information.

The destruction process will be fully document and approved by Ed Rowland (CEO), or Tony Di Campo (COO) prior to taking place. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.

Breach, Enforcement and Compliance

The person/s appointed with responsibility for Data Protection, has the responsibility to ensure that each of the Company’s offices complies with this Policy. It is also the responsibility of Cloud Orca Limited employees to assist any local office with enquiries from any local data protection or governmental authority.

Any suspicion of a breach of this Policy must be reported immediately to the Cloud Orca Limited board of directors. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.

Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, loss of competitive advantage, financial loss and damage to the Company’s reputation, or personal loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract.

Document disposal

Records which may be routinely destroyed are as follows:

• Announcements and notices of day-to-day meetings and other events including acceptances and apologies.
• Requests for ordinary information such as travel directions.
• Reservations for internal meetings without charges / external costs.
• Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value.
• Message slips.
• Superseded address list, distribution lists etc.
• Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files.
• Stock in-house publications which are obsolete or superseded; and
• Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.

In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.

Destruction Method

Level 1 documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of such documents will include proof of destruction.

Level 2 documents are proprietary documents that contain confidential information such as parties’ names, signatures, and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents will be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.

Level 3 documents are those that do not contain any confidential information or personal data and are published Company documents. These will be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.

Validity and document management

This policy is valid as of 5th July 2021.

The owner of this document is the Cloud Orca Limited board of directors, who must check and, if necessary, update the document at least once annually.