Data Retention & Erasure Policy

1. About this policy

   1. The corporate information, records and data of the River Exe Cafe Ltd is important to how we conduct business and manage our website and app users.
   2. There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
   3. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
   4. Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
   5. We may amend this policy at any time.

2. Scope of policy

   1. This policy covers all data that we hold or have control over. This includes electronic data such as emails, electronic documents, any data provided by you to us or obtained from you by us by means of your engagement with us in store, via telephone our via our website. It also includes (where appropriate) physical data such as hard copy documents, contracts, notebooks, letters and invoices. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as "data".
   2. This policy covers data that is held by third parties on our behalf, for example cloud or web data storage providers or offsite records storage.
   3. This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data and non-personal data. It also gives guidance on how we classify our data.
   4. This policy applies to data collected, stored, retained in connection with our business.

3. Guiding Principles

   1. Through this policy, and our data retention practices, we aim to meet the following commitments:

      • We comply with legal and regulatory requirements to retain data.
      • We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
      • We handle, store and dispose of data responsibly and securely.
      • We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason.
      • We allocate appropriate resources to data retention and deal with it responsibly.
      • We monitor and audit compliance with this policy and update this policy when required.

4. Roles and Responsibilities

   1. Responsibility of directors. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All directors must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions from the Data Protection Compliance Manager. A consultant’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
   2. Data Protection Compliance Manager. The Data Protection Compliance Manager (‘DPCM’) is responsible for identifying the data that we must or should retain, and determining, the proper period of retention. It also arranges for the proper storage and retrieval of data. Additionally, the DPCM is responsible for the destruction of records whose retention period has expired.
   3. We have designated Paul Craven as the DPCM. He is responsible for:
      • Administering the data management programme;
      • Helping the business to implement the data management programme and related best practices;
      • Planning, developing, and prescribing data disposal policies, systems, standards, and procedures; and
      • Providing guidance, training, monitoring and updating in relation to this policy.

5. Types of Data and Data Classifications

   1. Formal or official records. Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data.
   2. Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
      • Duplicates of originals that have not been annotated.
      • Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
      • Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of River Exe Cafe Ltd and retained primarily for reference purposes.
      • Spam and junk mail.
      Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.
   3. Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
   4. Confidential information belonging to others. Any confidential information that a director or employee may have obtained from a source outside of River Exe Cafe Ltd must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the internet.

6. Retention Periods

   1. Formal or official records. Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention.
   2. Disposable information. The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.
   3. Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data. More information can be found in our Privacy Notice.
   4. What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the DPCM.

7. Storage, Back-Up and Disposal of Data

   1. Storage. Our data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up by us on a regular basis and maintained off site.
   2. Destruction. Our DPCM is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling. All electronic data will be deleted.
   3. The destruction of data must stop immediately upon notification that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once such requirement for preservation is lifted.

8. Special Circumstances

   1. Preservation of documents for contemplated litigation and other special situations. We require all officers and employees of the company to comply fully with our Record Retention Schedule and procedures as provided in this policy. The following general exception to any stated destruction schedule is to be noted : If you believe, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the DPCM determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
   2. If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the DPCM.
   3. In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

9. Where to go for Advice and Questions

   1. Questions about the policy. Any questions about this policy should be referred to the DPCM at [email protected]) who is in charge of administering, enforcing, and updating this policy.

10. Breach Reporting and Audit

    1. Reporting policy breaches. River Exe Cafe Ltd is committed to enforcing this policy as it applies to all forms of data. If you feel that there may have been a breach of this policy, you should report the incident immediately to the DPCM to make us aware of the possible breach of this policy as soon as possible so that we may take appropriate corrective action.
    2. Audits. Our DPCM will periodically review this policy and its procedures (including where appropriate by taking outside legal or GDPR compliance advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

11. Other Relevant Policies

    1. This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including our Privacy Policy, our Cookie Policy, and any other IT and security related policies that River Exe Cafe Ltd may have in place from time to time

Definitions

Data

all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings and any other data electronically communicated to us digitally or obtained by us digitally. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.

Data Retention Policy

this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

Disposable information

disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.

Formal or official record

certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as formal or official records or data.

Non-personal data

data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.

Personal data

any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudo-anonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, date of birth, account details, payment details, device details, company details) or an opinion about that person's actions or behaviour.

Data Protection Compliance Manager

the DPCM is responsible for administering the data management programme, helping the business implement it and related best practices, planning, developing, and prescribing data disposal policies, systems, standards, and procedures and providing guidance, training, monitoring and updating in relation to this policy. Our DPCM is Paul Craven.

Record Retention Schedule

the schedule attached at Annex A which sets out retention periods for our formal or official records.

Storage limitation principle

data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.

Record Retention & Erasure Schedule

River Exe Cafe Ltd establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as business management, protecting intellectual property and controlling costs.

River Exe Cafe Ltd and its officers and employees shall comply with the retention periods listed in the record retention schedule below.

Type of Data	Minimum Retention Period	Reasons for retaining data longer (if applicable)
Personal Data: belonging to visitors/ users of our website belonging to our online customers Belonging to our in store and telephone customers	3 years post a customer’s last: Website visit Purchase/ booking/ reservation/ enquiry online Purchase/ booking/ reservation/ enquiry in store or via telephone	These include: For legal reasons Where you ask us too For legitimate business reasons Where we have asked your permission and you have given it
Personal Data – belonging to officers and employees of the company	3 years post termination of office and/ or employment	As above
Data related to specific client services/ projects/ work for clients	As above	As above

Last updated 7th May 2022