Data Retention Policy

About this policy

This Retention Policy outlines how Red Flag Alert Technology Group Ltd's ("we", "our", "us", the "Business") meets its data privacy obligations and the retention of personal data (defined as any information identifying any living person or information relating to a living person that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data may comprise information such as a person's name, address, email address, identification number, online identifiers, and/or one or more identity verification elements.

This Policy applies to all internal employees, workers, consultants and partners to the Business. This Policy also applies equally to all Clients, Prospective Clients and any additional Third Parties

This Policy is intended to supplement our Data Protection Policy ("the DP Policy") and incorporates the definitions provided in the DP Policy https://www.redflagalert.com/privacy-centre/gdpr-data-protection-policy. This Policy should also be read in conjunction with the DP Policy and the Business's document retention and destruction processes, which outline in particular the criteria used by the Business for the retention and destruction of client and TP-related documentation. If there is a contradiction between this policy and the retention and destruction of documents in relation to Client and TP material, such policies will take precedence, to the extent that they are compatible with the UKGDPR.

The Business is responsible for keeping its documents, records, and document management systems in compliance with the regulatory environment. This policy intends to establish the Business's position regarding the retention of personal data under the UK General Data Protection Regulation (UKGDPR) and any other laws and/or regulations that may regulate the processing of personal data from time to time.

This policy applies to all employees, workers, consultants, and partners of the Company ("you" or "your"). This policy is not contractual and is not included in any employment or engagement terms and conditions. The Business reserves the right to revise, alter, amend, or replace this policy at any time. This Policy also applies to all clients, prospective clients, and other third parties, such as suppliers and vendors.

The purpose of this policy is to ensure that the Business complies with the personal data protection guidelines outlined in the UKGDPR when processing personal data, including that of clients, prospects, and other third parties, as well as that of employees, workers, consultants, and partners. Specifically, this means that:

• Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
• Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When Personal Data is no longer needed for specified purposes, it is deleted or anonymised as provided by these guidelines.
• Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
• Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
• Sufficient technical and organisational safeguards must be in place to protect personal data from unauthorised or illegal processing, as well as from unintentional loss, destruction, or damage.

Our Data Protection Officer is responsible for compliance with this Policy and all UKGDPR requirements. Any questions about this policy should be submitted to our DPO.

Types of Personal Data

The Business gathers and provesses personal data regarding its employees (including job applicants), contractors, consultants, partners, clients, prospects and other third parties, such as suppliers and vendors of products and services.

Location of Personal Data

Personal data relating to client’s, prospects, suppliers and other third parties is held by various parts of the Business including sales, marketing and finance. All data is stored within the UK.

Business Retention and Erasure of Personal Data

The Business ensures that it adheres to the data protection principles delineated in this policy and in line with the requirements of UKGDPR, with a particular emphasis on:

• Documents are routinely reviewed to guarantee that they are sufficient, pertinent, and restricted to the extent necessary to support the Business's operational and/or employment requirements (where applicable) and/or compliance with legal or regulatory requirements.
• Secure storage and protection from unauthorised or unlawful processing, as well as incidental loss, destruction, or damage, are implemented for documents. The Business will employ data obfuscation techniques in accordance with the sensitivity and criticality of the data processed, and wherever feasible, anonymisation will be implemented to prevent the identification of individuals.
• The Business will ensure that documents and records, regardless of whether they are stored in digital format or as paper records, are permanently and securely expunged following their destruction. The Business will determine whether the data requires anonymisation when a document is archived, and it is necessary to consider whether the document should be destroyed, subject to a further period of retention, or perpetual retention as an archive.

Retention and Erasure of Personal Data

We keep personal information we acquire from you if we have a valid business need to do so (for example, to provide you with a requested service or to comply with applicable legal, tax, or accounting obligations).

When we no longer have a legitimate business reason to process your personal information, we will either delete or anonymise it. If this is not possible (for example, because your personal information is stored in backup archives), we will securely store your personal information and isolate it from further processing until deletion is possible.

The Business considers the purpose for which personal data was collected when determining the appropriate retention period. Nevertheless, it also considers legal risk and, as the default retention period for all data (digital and written), documents and records, it is at least seven years (and in some cases, longer) after any contractual relationship with us has concluded.

The following criteria will be considered by the Business in determining our data retention periods:

• Any directives or regulations from our regulatory body;
• What our insurance providers demand and what our insurance terms state;
• The reason we retain the Personal Data;
• The potential risk of harm from unauthorised use or disclosure of the Personal Data;
• Whether we need the Personal Data to defend any proceedings in line with the Statute of Limitations. This includes but is not limited to any orders for the preservation of evidence, including Personal Data that may arise within the civil or criminal courts.
• Any legal or regulatory requirements;
• Any specific requests from a Data Subject to retain such Personal Data;
• Any legal, accounting, or reporting requirements. This includes any matters in relation to HR and people management and requirememts from bodies such as the HMRC;
• Whether we must retain such Personal Data to help us carry out our services or fulfil a contract; and/or
• Any investigations required by the regulator or law enforcement agencies within the UK or elsewhere

The schedule below provides an overview of the categories of personal information we maintain and the length of time we believe is suitable for its keeping. The schedule is meant to serve as a guide only, though, and the Business may deviate from the retention periods listed if there is a valid and legal basis to do so. In certain situations, the Business will make sure that any further retention of personal data beyond what is suggested in the schedule below takes into account the principles of protecting personal data and that the Business otherwise complies with the DP Policy Privacy Centre | Red Flag Alert. Additionally, the business will regularly evaluate its records to determine if the personal data contained therein needs to be kept on file or if it may be anonymised or deleted.

Please note the recommended retention periods set out in the below tables are subject to further review and may be changed from time to time.

Retention of client, supplier and third part personal data - schedule

Retention of employee/worker/consultant/partner personal data - schedule