Data Retention Policy

1. PURPOSE

The purpose of this Policy is to describe data storage and deletion processes and to set the retention periods for specified types of personal data, in order to ensure a coherent implementation of data protection measures and the recording of the actions taken. Unless otherwise stated, this Policy refers to all data in electronic and hard-copy form used within Uniline, regardless of the method of collection and storage.

2. RETENTION AND DESTRUCTION OF DATA

Documents should be retained as long as they are necessary to meet Uniline’s business obligations while meeting legal and regulatory requirements. Uniline will define the time period for which the personal data should be retained by: • determining the value of data for Uniline, the services it offers, its business relationships and environment. • assessing the relevance of data as evidence of business activities and/or decisions. • establishing whether there are statutory or regulatory requirements for storage.

2.1. Minimum data retention period

The minimum retention period is a key element of data protection and it should be reviewed at least once a year. The exact list of the types of data and the retention periods is kept by the data protection officer. There are two main decisions to be taken with regard to deletion or retention of records and documents: • delete after expiration of the stipulated/defined period - where the document lifecycle is easily determinable in advance (e.g. to be destroyed after 3 years, to be destroyed 11 years after the termination of the contract). • permanent storage option - where specific groups of documents are defined as worthy of permanent storage.

2.2. Destruction

Non-sensitive data (e.g. flyers and other similar publicly available materials) can simply be thrown in the garbage, while data in hard-copy form must be destroyed (e.g. with a paper shredder, by cutting or shredding it) in such a way to make subsequent reading of data impossible. Electronic equipment and media (e.g. CD/DVD/USB/hard disk) that contain confidential information must be physically destroyed or multiply deleted by software in order not to allow subsequent inspection of data. Data contained in databases must be deleted or in certain cases anonymised in order not to allow identification of the individuals to whom it relates.

2.3. Data sharing

During the performance of business activities, data duplication may occur in such a way that the same data are stored in several different locations (e.g. on paper and electronically, sent by email/mail to other business entities). All duplicate data need to be identified and copies must be regularly deleted. At latest until the expiration of the prescribed storage period both all copies and the original data version must be deleted. In cases where data are exchanged with other business entities, appropriate recording procedures must be in place to ensure data management in accordance with relevant statutory and regulatory requirements.

2.4. Document archival

Documents are archived by Uniline’s employees in designated cabinets or rooms. The archives room must be key-locked in order to prevent access to unauthorised persons. Uniline archives documents that are no longer needed as well as ongoing documents.

2.5. Audit trail

Deletion of the files listed in the data retention schedule does not have to be recorded. Files that are deleted prematurely or are kept longer than indicated must be recorded for audit purposes.