Data Retention Policy at NMI ERP Sp. z o.o.

1. Purpose of the Policy

The purpose of this policy is to ensure that the data processed by the company is managed in compliance with applicable legal regulations, best practices in data protection, and organizational requirements. The policy aims to control the process of data deletion in a secure manner, in line with data protection laws, while minimizing the risk of loss, unauthorized access, or misuse of data.

2. Scope of the Policy

This policy applies to all data processed by the company, both in electronic and paper form. It covers personal data, sensitive data, customer data, employee data, supplier data, and any other data stored and processed in the course of the company's operations.

3. Definition of Data

• Personal Data: any information relating to an individual that enables their identification, such as name, surname, address, phone number, email address, etc.
• Sensitive Data: data that includes special categories of personal data, such as health information, racial origin, political beliefs, biometric data, etc.
• Operational Data: all data related to the company's activities, such as financial, transactional, system, and log data.

4. Data Management Principles

• Data Security: All data must be stored and processed in a way that ensures its security, in accordance with best practices, industry standards, and regulatory requirements.
• Access to Data: Access to data is granted only to employees who require it to perform their job duties. All operations on data must be monitored and recorded.
• Personal Data Protection: The processing of personal data is carried out in compliance with data protection laws (including GDPR), and all operations on data must ensure the privacy of individuals whose data is being processed.

5. Data Deletion

• Deletion of Personal Data: Personal data that is no longer needed for the purposes for which it was collected must be deleted in a way that ensures permanent erasure, preventing recovery. Deletion must be carried out within the timeframe required by law or the company's internal regulations.
• Deletion of Sensitive Data: Sensitive data that is no longer required for processing should be deleted with special care and in line with procedures ensuring complete erasure.
• Deletion of Operational Data: Operational data that has become outdated, unnecessary, or has exceeded its retention period must be deleted in accordance with the company's data retention policy.

6. Data Deletion Procedure

Assessment of Retention Needs: Before deleting data, it must be assessed whether the data is still necessary for its intended purposes or whether there are legal requirements obliging the retention of data for a specific period.

Methods of Data Deletion:

• Electronic Data: Must be deleted using appropriate tools that ensure complete erasure from hard drives, servers, storage media, and other devices.
• Paper Data: Paper documents containing sensitive or personal data must be destroyed using shredders with the appropriate security classification.

Confirmation of Deletion: After data has been deleted, the employee responsible for the deletion process must confirm that the data has been securely removed and is no longer accessible.

7. Data Retention Period

Data should be stored only for as long as necessary to achieve the purposes for which it was collected. The retention period depends on:

• Legal requirements,
• The operational needs of the company,
• The company's data storage and archiving rules.

After the specified period, data must be deleted or anonymized.

8. Audit and Monitoring

Data management and deletion processes must be regularly monitored and audited by IT security teams or data protection specialists. These audits aim to:

• Verify compliance with laws and company policy,
• Identify potential risks and irregularities,
• Ensure that data is stored and deleted in accordance with established procedures.

9. Employee Training and Awareness

All company employees will receive regular training on data management and deletion policies, including personal data processing, privacy protection, and data deletion methods. Training is intended to raise awareness and responsibility for data security.

10. Policy Review and Updates

The data management and deletion policy will be regularly reviewed and updated to reflect changes in legal requirements, technology, and organizational needs. Reviews will be conducted at least once a year or whenever significant changes occur in data protection regulations.

11. Responsibility

The implementation of this policy is the responsibility of the IT Security team, data administrators, and department managers responsible for data processing. Every employee of the company is obliged to comply with the data management and deletion policy and to report any irregularities in this area.