1. PURPOSE

The purpose of this Data Retention Policy is to ensure that The Wholistic Work Company (the “organization”) meets its legal, regulatory, and operational obligations regarding the retention and disposal of data. This policy provides guidelines for retaining, managing, and disposing of data, ensuring data privacy, security, and compliance with applicable laws.

‍

2. SCOPE

This policy applies to all data created, received, and maintained by the organization, including electronic records, physical documents, and any other forms of data. It covers all employees, contractors, and third-party service providers who handle the organization's data.

‍

3. POLICY STATEMENT

The organization is committed to maintaining a robust data retention framework that ensures data is retained for the required periods, securely stored, and disposed of appropriately once it is no longer needed. This policy outlines the retention periods, responsibilities, and procedures for managing data throughout its lifecycle.

‍

4. DATA CLASSIFICATION

Data will be classified into the following categories, each with specified retention periods:

• Personal Data: Information relating to identifiable individuals.
• Financial Records: Accounting, tax, and financial transaction records.
• Operational Records: Data related to the organization’s operations, including contracts, project documentation, and communications.
• Legal and Compliance Records: Documents required for legal and regulatory compliance.
• Human Resources Records: Employee-related data, including personnel files, payroll records, and performance evaluations.

‍

5. RETENTION PERIODS

The following retention periods apply to each data category:

• Personal Data: Retained for as long as necessary to fulfill the purposes for which it was collected, subject to data subject rights under applicable data protection laws.
• Financial Records: Retained for a minimum of seven years to comply with tax and accounting regulations.
• Operational Records: Retained for a minimum of five years or as required by contract terms and business needs.
• Legal and Compliance Records: Retained for a minimum of ten years or as required by applicable laws and regulations.
• Human Resources Records: Retained for the duration of employment plus seven years after termination of employment.

‍

6. DATA STORAGE AND SECURITY

• Electronic Records: Stored on secure servers with access controls, encryption, and regular backups.
• Physical Documents: Stored in locked cabinets or secure storage facilities with restricted access.
• Cloud Storage: Only used if it meets the organization's security and compliance requirements.

‍

7. DATA DISPOSAL

• Electronic Records: Deleted using secure methods that prevent data recovery, such as data wiping or degaussing.
• Physical Documents: Shredded or incinerated to ensure destruction.
• Cloud Data: Deleted from cloud storage providers using their secure deletion methods and ensuring data is not recoverable.

‍

8. ROLES AND RESPONSIBILITIES

• Data Protection Officer (DPO): Responsible for overseeing data retention practices, ensuring compliance, and handling data subject requests.
• Department Heads: Ensure that data within their departments is managed according to this policy and retention schedules.
• IT Department: Implements and maintains secure data storage solutions and manages the secure disposal of electronic records.
• Employees: Comply with the data retention policy and report any breaches or concerns to the DPO.

‍

9. COMPLIANCE AND MONITORING

Regular audits and reviews will be conducted to ensure compliance with this policy. Any non-compliance will be addressed promptly, and corrective actions will be taken.

‍

10. POLICY REVIEW

This policy will be reviewed annually or whenever there are significant changes in legal, regulatory, or operational requirements. Revisions will be approved by senior management and communicated to all employees.‍

‍

11. EFFECTIVE DATE

This Data Retention Policy is effective as of July 28, 2024 and supersedes any previous data retention policies.By adopting this policy, the organization aims to ensure responsible data management, protect data privacy, and maintain compliance with all relevant legal and regulatory requirements.