Version 1.0
Prepared by: @Lorraine Sebata
Approved by: @Feli Capron
Reviewed date: 2025-07-25
Next review date: 2026-07-24
This policy applies to all records and information, whether physical or electronic, created, received, or maintained by Easyterms.
This Data Retention and Disposal Policy outlines Easyterms' guidelines for the retention, storage, and secure disposal of company records and client data. The purpose of this policy is to ensure compliance with legal and regulatory requirements, minimize data-related risks, and promote the efficient management of information assets. This policy supports the principle of data minimization by ensuring that data is not kept longer than necessary.
This policy applies to all records and information, whether physical or electronic, created, received, or maintained by Easyterms. This includes all employees, agents, and third-party contractors. The policy covers all forms of client data, transactional records, and internal business documents.
Easyterms is committed to retaining data for the minimum period required by all applicable laws, regulations, and industry standards, including but not limited to [mention specific local laws, e.g., local banking regulations, tax laws, data protection acts].
All data and records shall be classified based on their sensitivity and importance, which will dictate the appropriate retention period and disposal method. Classifications may include confidential, internal use only, and public.
Data shall be retained for specified periods as determined by legal, regulatory, or business requirements. A schedule of retention periods for different categories of records (e.g., client loan files, financial statements, HR records) shall be maintained and adhered to.
Client Loan Files: Retained for a period of at least [e.g., 5 years] after the account is closed.
Transaction Records: Retained for a period of at least [e.g., 7 years].
Personal Data: Retained for as long as there is a legitimate business purpose or legal obligation to do so.
HR Records: Retained for a period of at least [e.g., 5 years] after an employee's departure.
Once the retention period for a record has expired, it shall be securely and irreversibly disposed of to prevent unauthorized access or reconstruction.
Physical Records: Shall be shredded, incinerated, or otherwise destroyed in a manner that renders them illegible and unusable.
Electronic Records: Shall be securely erased, sanitized, or degaussed from all storage media, including hard drives, servers, and cloud backups, ensuring no recovery is possible.
The company shall have procedures in place to securely dispose of data when a data subject exercises their "right to be forgotten," subject to legal and regulatory exceptions.
In the event of litigation, a regulatory investigation, or an audit, a "legal hold" may be placed on relevant records. The disposal of these records will be suspended until the hold is officially lifted.
Board of Directors / Senior Management: Overall responsibility for approving and overseeing the Data Retention and Disposal Policy.
Compliance Department: Responsible for creating and maintaining the data retention schedule, monitoring compliance with the policy, and staying current with legal and regulatory changes.
IT Department: Responsible for implementing and managing the technical procedures for the secure disposal of electronic records and data.
All Employees: Responsible for understanding and adhering to the policy, ensuring that records are retained and disposed of in accordance with the established retention schedule.
This policy will be reviewed at least annually, or more frequently if there are significant changes in laws, regulations, or business operations that impact data retention or disposal requirements.