MField MEA Data Retention Policy (DRP)

1. Purpose

The purpose of this Data Retention Policy is to outline the principles and guidelines for retaining and disposing of data at MField MEA. This policy ensures that data is retained for the necessary period to comply with legal, regulatory, and business requirements while ensuring that data is securely deleted when no longer needed.

2. Scope

This policy applies to all employees, contractors, and third-party service providers of MField MEA who handle, manage, or have access to company data, including electronic and physical records.

3. Data Classification

Data is classified into the following categories for retention purposes:

• Business Data: Operational data necessary for daily business activities.
• Client Data: Data received from or related to clients.
• Financial Data: Accounting and financial records.
• Legal and Compliance Data: Data required for legal, regulatory, or compliance purposes.
• HR Data: Employee-related records.
• Technical Data: IT and system-related data.

4. Data Retention Periods

• Business Data: Retained for 5 years.
• Client Data: Retained for 7 years.
• Financial Data: Retained for 7 years.
• Legal and Compliance Data: Retained for 10 years or as required by law.
• HR Data: Retained for 7 years after employee termination.
• Technical Data: Retained for 1 year.

5. Data Deletion and Disposal

Data will be securely deleted or disposed of after the retention period has expired, using the following methods:

• Electronic Data: Secure deletion tools that perform multiple overwriting passes or cryptographic erasure.
• Physical Media: Secure shredding, degaussing, or incineration.

6. Data Encryption

Where applicable, backed-up data sets will be encrypted based on the data classification policy. MField MEA uses AES256-bit encryption for data backups.

7. Ensuring Permanent Deletion

To ensure that deleted data cannot be recovered:

• Data deletion tools and techniques are employed.
• Secure physical destruction methods are used for hardware.
• A third-party certificate of data destruction is obtained where applicable.

8. Legal and Compliance

MField MEA will comply with all applicable legal and regulatory requirements concerning data retention and disposal. The policy will be reviewed and updated as necessary to reflect changes in legal requirements.

9. Responsibilities

• Data Owners: Ensure data within their control is managed according to this policy.
• IT Department: Implement and maintain secure data deletion and backup processes.
• Compliance Team: Ensure adherence to legal and regulatory requirements.

10. Policy Review

This Data Retention Policy will be reviewed annually to ensure it remains relevant and effective in light of any changes to legal requirements, business needs, or technological advancements.

11. Exceptions

Any exceptions to this policy must be approved by the Data Protection Officer and documented accordingly.