1.1 This policy (the Policy) must be followed whenever Personal Data are Processed for or
    on behalf of Hillwood.
    1.2 The General Data Protection Regulation (EU) 2016/679 (GDPR) sets out specific
    requirements regarding the retention of Personal Data. In particular:
    1.2.1 To the extent that the data records of Hillwood (Data Records) contain Personal
    Data, Hillwood must comply with applicable data protection laws, including
    (where relevant) the GDPR.
    1.2.2 The GDPR requires Personal Data to be deleted or anonymised when they are
    no longer needed given the purposes for which they are held.
    1.3 The purpose of this Policy is to ensure that:
    1.3.1 Data Records are adequately protected and maintained;
    1.3.2 Data Records containing Personal Data, which are no longer required are
    discarded at the appropriate time;
    1.3.3 Hillwood’s data retention principles will help Hillwood to ensure the exercise
    of individuals’ data protection rights.
    1.4 Capitalized terms not defined directly in this Policy have the meaning assigned to them
    in a document connected to this Policy in the form of the Data Protection Policy.
    2.1 These are Hillwood’s guiding data retention principles:
    2.1.1 Fairness: All Processing of Personal Data must be fair, proportionate and
    compatible with the purposes for which the data were collected.
    2.1.2 Necessity: Personal Data are deleted when no longer needed.
    2.1.3 Security: Personal Data are protected by appropriate security measures.
    2.2 It needs to be ensured that each principle set out at paragraph 2.1 above is followed
    whenever a Processing activity is envisaged or planned for or on behalf of Hillwood.
    3.1 Personal Data should only be retained for the period “necessary” to achieve our
    Processing purposes. This means that Personal Data must be deleted when we no longer
    need such data, for example where:
    3.1.1 the Personal Data are incorrect;
  • 2 –
    3.1.2 the relevant contract has already been performed and possible claims are timebarred; or
    3.1.3 an individual has withdrawn their consent to the Processing (i.e. if consent
    constitutes a basis for the Processing).
    3.2 Hillwood’s legal unit should be consulted prior to deleting any Personal Data. Prior to
    deleting any Personal Data, Hillwood’s legal unit should establish whether the
    limitation periods for any related claims have elapsed, whether the run of the limitation
    period has been interrupted and whether any related claims have been brought up.
    3.3 Legal or regulatory requirements might require Personal Data to be retained for a
    specified period. For example:
    3.3.1 tax law;
    3.3.2 labour law.
    3.4 You must therefore consider for each Processing activity:
    3.4.1 whether any legal or regulatory requirements specify a retention period for
    Personal Data to be Processed;
    3.4.2 how long Hillwood will need to retain Personal Data in relation to the proposed
    Processing activity; and
    3.4.3 whether the duration of the proposed retention period is necessary for the
    purposes of the relevant Processing activity.
    3.5 The retained data should be subject to periodic reviews every 6 months with an aim of
    identifying the data that should be deleted.
    4.1 Appendix 1 contains a form of retention requirements tracker (the Retention Tracker).
    The purpose of the Retention Tracker is to help calculate appropriate retention periods
    at the outset of a new Processing activity.
    4.1.1 Each member of personnel (including an employee and associate) of Hillwood
    must ensure that that any new Processing activities are promptly notified to
    Hillwood – i.e. to ensure that Hillwood can update the Retention Tracker, where
    4.1.2 Hillwood is responsible for ensuring that the Retention Tracker is: (i) kept upto-date; and (ii) reflect the categories of Personal Data Processed.
    4.2 Inform the Data Protection Coordinator of the proposed retention period of the relevant
    Personal Data (a Retention Notice).
    4.3 Promptly after the receipt of a Retention Notice, the Data Protection Coordinator will:
  • 3 –
    4.3.1 verify whether there are any relevant legal or regulatory requirements which
    will impact the proposed retention period set out in the Retention Notice; and
    4.3.2 provide a confirmation, in writing or by e-mail, that the proposed retention
    period complies with this Policy (Confirmation).
    4.4 Continual recording of: (i) Confirmations; and (ii) each retention period agreed for
    Hillwood is important for record-keeping requirements.
    4.5 The Data Protection Coordinator will ensure that each Confirmation is included in
    Hillwood’s repository confirming our retention periods (i.e. the Record of Processing –
    see paragraph 7 below). The Record of Processing will be maintained by the Data
    Protection Coordinator.
    5.1 Regulators and individuals may request access to, or enabling the audit of, the Personal
    Data that Hillwood Processes.
    5.2 Hillwood creates and stores Processed Personal Data in secure systems in accordance
    with auditable processes. Maintaining Hillwood’s Record of Processing will assist with
    this process. In particular, Hillwood ensures that all Personal Data is kept secure (i.e.
    so as to avoid unauthorised access, alteration, destruction, deletion or tampering in any
    way for the approved retention period of relevant Personal Data).
    5.3 It is necessary to ensure that the Processed Personal Data are capable of deletion,
    correction and portability (in response to an individual exercising their Personal Data
    protection rights). Hillwood preserves the integrity of all Processed Personal Data. In
    particular, it ensures that:
    5.3.1 Processed Personal Data are not manipulated or altered;
    5.3.2 any corrections are explicable – Hillwood is able to promptly track and justify
    5.4 Hillwood, as soon as practicable, responds to requests from individuals, regulators and
    other competent authorities to provide information . Hillwood ensures that third party
    service providers/vendors:
    5.4.1 secure Personal Data that they Process on behalf of Hillwood in accordance with
    all relevant legal and regulatory requirements; and
    5.4.2 deliver any Personal Data that they Process on behalf of Hillwood: (i) promptly
    and without unreasonable delay; and (ii) in any event, within 48 hours of
    Hillwood’s reasonable request.
    5.5 When you are negotiating contracts with service providers where Personal Data will be
    Processed on Hillwood’s behalf, contact the Data Protection Coordinator for guidance
    on implementing and reflecting these requirements in the applicable contractual
  • 4 –
    6.1 Data Records must be destroyed responsibly and systematically.
    6.2 If in doubt, the Confirmation should be obtained from the Data Protection Coordinator
    by contacting Tomasz Jaroszewski at [email protected]
    6.3 No records that may be relevant in any current or expected litigation, dispute resolution,
    or regulatory inquiry may be destroyed under any circumstances without a prior
    Confirmation from the Data Protection Coordinator. If in any doubt as to the relevance
    of any record in relation to current or expected litigation, dispute resolution or
    regulatory inquiry, contact the Data Protection Coordinator.
    7.1 Hillwood maintains a detailed record of our Processing of Personal Data to comply with
    applicable laws (including data access obligations and security breach notification
    requirements) (the Record of Processing). The Record of Processing describes, among
    other things:
    7.1.1 the location in which the Processed Personal Data are held/stored (e.g. paper
    files, third party servers, our servers, backup storage);
    7.1.2 the purposes of the Processing;
    7.1.3 the legal basis on which Hillwood is processing the relevant data; and
    7.1.4 retention periods.
    7.2 The Data Protection Coordinator is responsible for maintaining the Record of
    7.3 Each member of personnel (including employee and associate) of Hillwood should
    contribute to updating and maintaining the Record of Processing.
    8.1 This Policy has been drawn up in accordance with the requirements of the GDPR and
    the provisions of Polish law. If the Policy were to be applicable outside of Poland, the
    principles laid down in paragraphs 8.2 and 8.3 apply.
    8.2 Where any local legal or regulatory requirements impose additional or more restrictive
    standards than this Policy, such jurisdictional specific policies shall take precedence.
    8.3 Contact your Data Protection Coordinator if this Policy conflicts with local laws in any
    9.1 Hillwood takes its data retention obligations seriously. Hillwood will, if required, report
    violations of this Policy and related provisions to relevant regulatory, governmental and
    other competent authorities.
  • 5 –
    9.2 It is your responsibility to comply with this Policy. Failure to comply may leave you
    personally liable for civil or criminal penalties (including civil or criminal penalties and
    9.3 Breaches of this Policy are recorded and monitored. Failure to comply maybe taken
    into account during performance reviews for Hillwood’s employees, associates and
    service providers.