THE PURPOSE OF DATA RETENTION POLICY 1.1 This policy (the Policy) must be followed whenever Personal Data are Processed for or on behalf of Hillwood. 1.2 The General Data Protection Regulation (EU) 2016/679 (GDPR) sets out specific requirements regarding the retention of Personal Data. In particular: 1.2.1 To the extent that the data records of Hillwood (Data Records) contain Personal Data, Hillwood must comply with applicable data protection laws, including (where relevant) the GDPR. 1.2.2 The GDPR requires Personal Data to be deleted or anonymised when they are no longer needed given the purposes for which they are held. 1.3 The purpose of this Policy is to ensure that: 1.3.1 Data Records are adequately protected and maintained; 1.3.2 Data Records containing Personal Data, which are no longer required are discarded at the appropriate time; 1.3.3 Hillwood’s data retention principles will help Hillwood to ensure the exercise of individuals’ data protection rights. 1.4 Capitalized terms not defined directly in this Policy have the meaning assigned to them in a document connected to this Policy in the form of the Data Protection Policy.
GUIDING DATA RETENTION PRINCIPLES 2.1 These are Hillwood’s guiding data retention principles: 2.1.1 Fairness: All Processing of Personal Data must be fair, proportionate and compatible with the purposes for which the data were collected. 2.1.2 Necessity: Personal Data are deleted when no longer needed. 2.1.3 Security: Personal Data are protected by appropriate security measures. 2.2 It needs to be ensured that each principle set out at paragraph 2.1 above is followed whenever a Processing activity is envisaged or planned for or on behalf of Hillwood.
GENERAL RETENTION POLICY 3.1 Personal Data should only be retained for the period “necessary” to achieve our Processing purposes. This means that Personal Data must be deleted when we no longer need such data, for example where: 3.1.1 the Personal Data are incorrect;
2 – 3.1.2 the relevant contract has already been performed and possible claims are timebarred; or 3.1.3 an individual has withdrawn their consent to the Processing (i.e. if consent constitutes a basis for the Processing). 3.2 Hillwood’s legal unit should be consulted prior to deleting any Personal Data. Prior to deleting any Personal Data, Hillwood’s legal unit should establish whether the limitation periods for any related claims have elapsed, whether the run of the limitation period has been interrupted and whether any related claims have been brought up. 3.3 Legal or regulatory requirements might require Personal Data to be retained for a specified period. For example: 3.3.1 tax law; 3.3.2 labour law. 3.4 You must therefore consider for each Processing activity: 3.4.1 whether any legal or regulatory requirements specify a retention period for Personal Data to be Processed; 3.4.2 how long Hillwood will need to retain Personal Data in relation to the proposed Processing activity; and 3.4.3 whether the duration of the proposed retention period is necessary for the purposes of the relevant Processing activity. 3.5 The retained data should be subject to periodic reviews every 6 months with an aim of identifying the data that should be deleted.
CALCULATION OF THE APPROPRIATE RETENTION PERIOD 4.1 Appendix 1 contains a form of retention requirements tracker (the Retention Tracker). The purpose of the Retention Tracker is to help calculate appropriate retention periods at the outset of a new Processing activity. 4.1.1 Each member of personnel (including an employee and associate) of Hillwood must ensure that that any new Processing activities are promptly notified to Hillwood – i.e. to ensure that Hillwood can update the Retention Tracker, where necessary. 4.1.2 Hillwood is responsible for ensuring that the Retention Tracker is: (i) kept upto-date; and (ii) reflect the categories of Personal Data Processed. 4.2 Inform the Data Protection Coordinator of the proposed retention period of the relevant Personal Data (a Retention Notice). 4.3 Promptly after the receipt of a Retention Notice, the Data Protection Coordinator will:
3 – 4.3.1 verify whether there are any relevant legal or regulatory requirements which will impact the proposed retention period set out in the Retention Notice; and 4.3.2 provide a confirmation, in writing or by e-mail, that the proposed retention period complies with this Policy (Confirmation). 4.4 Continual recording of: (i) Confirmations; and (ii) each retention period agreed for Hillwood is important for record-keeping requirements. 4.5 The Data Protection Coordinator will ensure that each Confirmation is included in Hillwood’s repository confirming our retention periods (i.e. the Record of Processing – see paragraph 7 below). The Record of Processing will be maintained by the Data Protection Coordinator.
HANDLING DATA DURING THE RETENTION PERIOD 5.1 Regulators and individuals may request access to, or enabling the audit of, the Personal Data that Hillwood Processes. 5.2 Hillwood creates and stores Processed Personal Data in secure systems in accordance with auditable processes. Maintaining Hillwood’s Record of Processing will assist with this process. In particular, Hillwood ensures that all Personal Data is kept secure (i.e. so as to avoid unauthorised access, alteration, destruction, deletion or tampering in any way for the approved retention period of relevant Personal Data). 5.3 It is necessary to ensure that the Processed Personal Data are capable of deletion, correction and portability (in response to an individual exercising their Personal Data protection rights). Hillwood preserves the integrity of all Processed Personal Data. In particular, it ensures that: 5.3.1 Processed Personal Data are not manipulated or altered; 5.3.2 any corrections are explicable – Hillwood is able to promptly track and justify changes. 5.4 Hillwood, as soon as practicable, responds to requests from individuals, regulators and other competent authorities to provide information . Hillwood ensures that third party service providers/vendors: 5.4.1 secure Personal Data that they Process on behalf of Hillwood in accordance with all relevant legal and regulatory requirements; and 5.4.2 deliver any Personal Data that they Process on behalf of Hillwood: (i) promptly and without unreasonable delay; and (ii) in any event, within 48 hours of Hillwood’s reasonable request. 5.5 When you are negotiating contracts with service providers where Personal Data will be Processed on Hillwood’s behalf, contact the Data Protection Coordinator for guidance on implementing and reflecting these requirements in the applicable contractual documentation.
4 –
EXPIRATION OF THE RETENTION PERIOD 6.1 Data Records must be destroyed responsibly and systematically. 6.2 If in doubt, the Confirmation should be obtained from the Data Protection Coordinator by contacting Tomasz Jaroszewski at [email protected] 6.3 No records that may be relevant in any current or expected litigation, dispute resolution, or regulatory inquiry may be destroyed under any circumstances without a prior Confirmation from the Data Protection Coordinator. If in any doubt as to the relevance of any record in relation to current or expected litigation, dispute resolution or regulatory inquiry, contact the Data Protection Coordinator.
DATA STORAGE 7.1 Hillwood maintains a detailed record of our Processing of Personal Data to comply with applicable laws (including data access obligations and security breach notification requirements) (the Record of Processing). The Record of Processing describes, among other things: 7.1.1 the location in which the Processed Personal Data are held/stored (e.g. paper files, third party servers, our servers, backup storage); 7.1.2 the purposes of the Processing; 7.1.3 the legal basis on which Hillwood is processing the relevant data; and 7.1.4 retention periods. 7.2 The Data Protection Coordinator is responsible for maintaining the Record of Processing. 7.3 Each member of personnel (including employee and associate) of Hillwood should contribute to updating and maintaining the Record of Processing.
LOCAL LAW CONSIDERATIONS 8.1 This Policy has been drawn up in accordance with the requirements of the GDPR and the provisions of Polish law. If the Policy were to be applicable outside of Poland, the principles laid down in paragraphs 8.2 and 8.3 apply. 8.2 Where any local legal or regulatory requirements impose additional or more restrictive standards than this Policy, such jurisdictional specific policies shall take precedence. 8.3 Contact your Data Protection Coordinator if this Policy conflicts with local laws in any way.
DISCIPLINARY 9.1 Hillwood takes its data retention obligations seriously. Hillwood will, if required, report violations of this Policy and related provisions to relevant regulatory, governmental and other competent authorities.
5 – 9.2 It is your responsibility to comply with this Policy. Failure to comply may leave you personally liable for civil or criminal penalties (including civil or criminal penalties and fines). 9.3 Breaches of this Policy are recorded and monitored. Failure to comply maybe taken into account during performance reviews for Hillwood’s employees, associates and service providers.
