This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within the Cavendish Family Office(London).
This policy applies to All business units, All data processing operations, All data processing systems in all countries in which the Cavendish Family Office (London) conducts business and has dealings or other business relationships with third parties.
This policy applies to all Cavendish Family Office (London)'s Officers, Directors, Employees, Contractors that may collect, process, or have access to data (including personal data and sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this policy and ensure adequate compliance with it.
This policy applies to all information used at the Cavendish Family Office (London), including soft copy documents and reference documents such as personal data protection policy.
EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC)
Personal Data Protection Policy
In the case of documents not specifically defined in this policy and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be7 years from the date of its creation.
The Data Protection Officer defines the time period for which the documents and electronic records should to be retained through the Data Protection Officer.
As an exemption, retention periods within the Data Retention Schedule can be prolonged in cases such as:
Ongoing investigations from Member States authorities, if there is chance records of personal data are needed by theCavendish Family Office (London) to prove compliance with any legal requirements; orWhen exercising legal rights in cases of lawsuits or similar court proceedings recognised under local law.
The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes.TheDataProtection Officer bears the responsibility for such storage.
The Cavendish Family Office (London) and its employees should, therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete data once the purpose for which those documents were created is no longer relevant. See appendix for the retention schedule. TheData Protection Officer is responsible for the destruction of data.
Once the decision is made to dispose of according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document.
For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.
In this context, the employee shall perform the tasks and assume the responsibilities relevant to the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Data Protection Officer subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and theCavendish Family Office (London)’s Personal Data Protection Policy shall be complied with.
Appropriate controls shall be in a place that prevents the permanent loss of essential information of the company as a result of malicious or unintentional destruction of information – these controls are described in the Cavendish Family Office (London)’s IT Security Policy.
The Data Protection Officer shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
The person appointed with responsibility for Data Protection, the Data Protection Officer has the responsibility to ensure that each of the Cavendish Family Office (London)’s offices complies with thisPolicy. It is also the responsibility of the Data Protection Officer to assist any local office with enquiries from any local data protection or governmental authority.
Any suspicion of a breach of this Policy must be reported immediately to Data Protection Officer. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to theCavendish Family Office (London)’s reputation, personal injury, harm or loss.
Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access toCavendish Family Office (London)'s premises or information, may, therefore, result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Records that may be routinely destroyed unless subject to an ongoing legal or regulatory inquiry are as follows:
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogs, flyers, and newsletters. These may be disposed of without an audit trail.
This document is valid as of 2022-09-15.
The owner of this document is the Mark Estcourt who must check and, if necessary, update the document at least annually.
Appendix – Data Retention ScheduleList of records you store:
Edited & customised by:
3 Sharrow Lane, Sheffield, S11 8AE