VALLEYDAO DATA RETENTION POLICY

1. ABOUT THIS POLICY

1. The information, records and data of ValleyDAO, a Swiss Association (Verein) having its address at Chamerstrasse 172, 6300 Zug, Switzerland (“ValleyDAO/we/us/our”) is important to how we conduct our mission and manage staff. 
2. There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
3. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal. 
4. Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business. 
5. This policy applies to all ValleyDAO group entities. This policy does not form part of any staff members service agreement and we may amend it at any time.

1.   SCOPE OF POLICY

1. This policy covers all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as "data".
2. This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by staff on personal devices.
3. This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data and non-personal data. It also gives guidance on how we classify our data.

1. GUIDING PRINCIPLES

1. Through this policy, and our data retention practices, we aim to meet the following commitments:

• We comply with legal and regulatory requirements to retain data.
• We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
• We handle, store and dispose of data responsibly and securely.
• We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason.
• We allocate appropriate resources, roles and responsibilities to data retention.
• We regularly remind staff of their data retention responsibilities.
• We regularly monitor and audit compliance with this policy and update this policy when required.

4. ROLES AND RESPONSIBILITIES

1. Responsibility of all staff. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All staff must comply with this policy, any communications suspending data disposal and any specific instructions from management. Failure to do so may subject us, our staff, and contractors to serious civil and/or criminal liability. Staff’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
2. Data Protection Representative. Our Data Protection Representative (DPR) is responsible for advising on and monitoring our compliance with data protection laws which regulate personal data.  Our Data Protection Representative can be contacted at: people@valleydao.bio. 

4. TYPES OF DATA AND DATA CLASSIFICATIONS

1. Formal or official records. Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data. 
2. Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:

• Duplicates of originals that have not been annotated.
• Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
• Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of ValleyDAO and retained primarily for reference purposes.
• Spam and junk mail.

Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.

3. Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
4. Confidential information belonging to others. Any confidential information that a staff member may have obtained from a source outside of ValleyDAO, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the internet. 
5. Data classifications. Some of our data is more confidential than other data. Our Asset Classification and Control Policy explains how we classify data and how each type of data should be marked and protected. When complying with this policy, it is also important that you follow our Information Security Policy and Data Privacy Policy

6. RETENTION PERIODS

1. Formal or official records. Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy (“Record Retention Schedule”), must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact the Data Protection Representative.
2. Disposable information. The Record Retention Schedule will not set out retention periods for disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of. 
3. Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data. More information can be found in in our Data Privacy Policy.
4. What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the Data Protection Representative.

6. STORAGE, BACK-UP AND DISPOSAL OF DATA

1. Storage. Our data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up and maintained off site. Where we use third party cloud service providers to host our data, we are reliant on them to back up and recover such data in accordance with their standard policies and procedures. 
2. Destruction. Our Data Protection Representative is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and staff-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling. The destruction of electronic data must be co-ordinated with the IT Department.
3. The destruction of data must stop immediately upon notification from the Data Protection Representative or CEO that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once the Data Protection Representative or CEO lifts the requirement for preservation.

6. SPECIAL CIRCUMSTANCES

1. Preservation of documents for contemplated litigation and other special situations. We require all staff to comply fully with our Record Retention Schedule and procedures as provided in this policy. All staff should note the following general exception to any stated destruction schedule: If you believe, or the Data Protection Representative or CEO informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the Data Protection Representative or CEO determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.   
2. If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Data Protection Representative
3. In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

6. WHERE TO GO FOR ADVICE AND QUESTIONS

1. Questions about the policy. Any questions about this policy should be referred to our Data Protection Representative,  who is in charge of administering, enforcing, and updating this policy.

6. BREACH REPORTING AND AUDIT

1. Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on staff. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the Data Protection Representative. If staff do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
2. No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
3. Audits. Our Data Protection Representative will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

6. OTHER RELEVANT POLICIES

1. This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our Privacy Policy, Cookie Policy and Data Protection Policy. 

1. RECORD RETENTION SCHEDULE

ValleyDAO establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs. 

Staff should comply with the retention periods listed in the record retention schedule below, in accordance with the Data Retention Policy above. 

If you hold data not listed below, please refer to the Data Retention Policy above regarding disposable records. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact our Data Protection Representative. 

Personnel Records

• Type of Data:

• Employment/contractor applications, assessment results, interview records, and pre-employment qualification checks of unsuccessful candidates (electronic and paper)

• Retention Period:

• 6 months from notification that application is unsuccessful unless agreement to hold details on file.

• Owner:

• Human Resources

Employee/contractor contracts

• Type of Data:

• (electronic and paper)

• Retention Period:

• While employment/worker contract continues and up to 6 years after termination

• Owner:

• Human Resources

• Reason / Comments:

• Statute of limitation claims can usually be brought up to 6 years after termination of contract.

Personnel and training records

• Type of Data:

• (including pre-employment verification details such as qualifications checks, references as well as appraisals, disciplinary procedures, grievances, death benefit nomination and revocation forms, resignation, termination, and retirement records) (electronic and paper)

• Retention Period:

• While employment/worker contract continues and up to 6 years after termination

• Owner:

• Human Resources

• Reason / Comments:

• Statute of limitation claims can usually be brought up to 6 years after termination of contract.

Working time opt-out forms

• Type of Data:

• (electronic and paper)

• Retention Period:

• While employment/worker contract continues and up to 2 years after termination

• Owner:

• Human Resources

Working Time Records

• Type of Data:

• (electronic and paper)

• Retention Period:

• 2 years after the relevant period

• Owner:

• Human Resources

Records re hours worked and payments made

• Retention Period:

• 3 years from pay reference period following the one that the records cover

• Owner:

• Human Resources

Records required to show compliance with working time regulations

• Retention Period:

• 2 years after the relevant period

• Owner:

• Human Resources

Working time opt-outs

• Retention Period:

• 2 years from the date entered into

• Owner:

• Human Resources

Payroll and wage records

• Retention Period:

• 6 years from financial year end in which payments were made

• Owner:

• Finance/Payroll

• Reason / Comments:

• International standards

PAYE Records

• Retention Period:

• Not less than 8 years after the end of the tax year to which they relate (consider 6 years)

• Owner:

• Finance/Payroll

Maternity Pay Records

• Retention Period:

• 6 years after the end of the tax year in which the maternity pay period ends

• Owner:

• Finance/Payroll

Season ticket and other staff loans

• Retention Period:

• 6 years after payment of benefit

• Owner:

• Finance /Payroll

Death in service benefit nomination and revocation forms

• Retention Period:

• 6 years after payment of benefit

• Owner:

• Human Resources

Collective bargaining agreements

• Retention Period:

• Permanently

• Owner:

• Human Resources

Consents for processing of personal data

• Retention Period:

• For as long as data processing lasts and 6 years afterward

• Owner:

• Human Resources

Disclosure and Barring Service (DBS), formerly Criminal Records Bureau (CRB), checks and disclosures of criminal records forms

• Retention Period:

• Delete following the recruitment process unless assessed as relevant to ongoing employment. Delete once conviction is spent.

• Owner:

• Human Resources

Immigration Checks

• Retention Period:

• 2 years after termination of employment/worker contract

• Owner:

• Human Resources

Fingerprint data for secure access controls

• Retention Period:

• Delete when personnel no longer need secure access using this technology

• Owner:

• IT Security

IT system logs showing access by personnel

• Retention Period:

• 2 years after termination of employment/worker contract

• Owner:

• IT Security

Financial data

• Retention Period:

• 6 years after the end of the tax year in which the data used for any payment calculation.

• Owner:

• Finance/Payroll

CCTV footage

• Retention Period:

• 90 days from footage being captured, or longer if required in relation to the prevention or detection of crime or a legal claim.

• Owner:

• IT Security

‍

Health and Safety

• Type of Data:

• Reportable accidents, death, or injury in connection with work

• Retention Period:

• 3 years from the date the report was made

• Owner:

• Human Resources

‍

• Type of Data:

• Accident Book

• Retention Period:

• 3 years from the last date of entry

• Owner:

• Human Resources

‍

• Type of Data:

• Risk assessment reports

• Retention Period:

• 6 years

• Owner:

• Human Resources

‍

• Type of Data:

• Health and safety correspondence and training records

• Retention Period:

• 6 years after the termination of employment/worker

• Owner:

• Human Resources

‍

• Type of Data:

• Fire Safety Certificates

• Retention Period:

• Permanent

• Owner:

• Human Resources

Corporate Records

• Type of Data:

• Articles of Incorporation, Bylaws, Corporate Seal

• Retention Period:

• Permanent

• Owner:

• Finance

‍

• Type of Data:

• Annual corporate filings and reports to government departments or regulators

• Retention Period:

• Permanent

• Owner:

• Finance

‍

• Type of Data:

• Board policies, resolutions, meeting minutes, and committee meeting minutes

• Retention Period:

• Permanent

• Owner:

• Finance

‍

• Type of Data:

• Contracts

• Retention Period:

• 7 years from expiration or termination

• Owner:

• Finance

‍

• Type of Data:

• Emails (business-related)

• Retention Period:

• Permanent

• Owner:

• Finance

‍

• Type of Data:

• Fixed Asset Records

• Retention Period:

• Permanent

• Owner:

• Finance

‍

• Type of Data:

• IT backups

• Retention Period:

• 3 years from the last usage of the data, or in accordance with our third-party service provider’s own backup policy

• Owner:

• IT Security

‍

• Type of Data:

• Audits

• Retention Period:

• 6 years

• Owner:

• Finance

Accounting and Finance

• Type of Data:

• Financial information

• Retention Period:

• 7 years from the end of the financial year

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Annual plans and budgets

• Retention Period:

• 3 Years

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Tax Records

• Retention Period:

• Filings of fees paid to professionals

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Employee/contractor pay histories

• Retention Period:

• 6 years

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Tax returns

• Retention Period:

• 6 years

• Owner:

• Finance/Corporate Governance

Legal and Insurance Records

• Type of Data:

• Copyright registrations

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Insurance claims/ applications

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Insurance disbursements and denials

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Insurance contracts and policies (Directors and Officers, General Liability, Property, Employers Liability, and Workers Compensation)

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Leases

• Retention Period:

• 6 years after expiration

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Patents, patent applications, supporting documents

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Real estate documents (including loan and mortgage contracts, deeds)

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Trademark registrations, evidence of use documents

• Retention Period:

• Permanent

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Legal Correspondence

• Retention Period:

• 7 years

• Owner:

• Finance/Corporate Governance

Data Protection

• Type of Data:

• Data protection notices and policies

• Retention Period:

• 6 years after the document is superseded or the end of the life of the organization

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Data subject requests

• Retention Period:

• 6 years from the request being closed

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Documents provided as a result of a subject access request

• Retention Period:

• 6 years from the request being closed

• Owner:

• Finance/Corporate Governance

‍

• Type of Data:

• Data breach records

• Retention Period:

• 6 years from the case being closed

• Owner:

• Finance/Corporate Governance

‍

Customer/Prospective Customer Records

• Type of Data:

• Contact information of customers

• Retention Period:

• Duration of contract + 6 months or longer if there is an ongoing dispute with the customer.

• Owner:

• Sales and marketing

• Reason / Comments:

• Data to be retained after termination of the customer’s contract on the basis that there may be issues that need to be resolved post-termination, such as recovering fees, dealing with complaints, etc. Data may be retained for longer if there is an ongoing dispute with the customer.

‍

• Type of Data:

• Contact information of prospective customers

• Retention Period:

• 3 years

• Owner:

• Sales and marketing

• Reason / Comments:

• 3 years is a reasonable sales cycle timeframe for ValleyDAO.

‍

• Type of Data:

• Website usage/analysis data

• Retention Period:

• 2 years or the period specified by the relevant third-party cookie provider.

• Owner:

• Sales and marketing

• Reason / Comments:

• For third-party cookies, data is retained in accordance with the cookie provider’s own data retention policy.

‍

• Type of Data:

• Profile data on customers (including preferences, interests, feedback, and survey responses)

• Retention Period:

• 2 years or, if sooner, the end of the customer’s contract

• Owner:

• Sales and marketing

‍

• Type of Data:

• Profile data on prospective customers (including preferences, interests, feedback, and survey responses)

• Retention Period:

• 3 years from data being collected for marketing purposes (unless the individual consents to longer)

• Owner:

• Sales and marketing

• Reason / Comments:

• 3 years is a reasonable sales cycle timeframe for ValleyDAO.

‍

• Type of Data:

• Marketing preferences

• Retention Period:

• Delete when someone has opted out of marketing communications

• Owner:

• Sales and marketing

• Reason / Comments:

• Marketing preferences need to be stored indefinitely to ensure that ValleyDAO does not contact individuals who have asked to unsubscribe from marketing communications.

‍

• Type of Data:

• Consents to marketing (where consent is used as lawful basis for processing for this purpose)

• Retention Period:

• 6 years after consent expires

• Owner:

• Sales and marketing

‍

• Type of Data:

• Marketing suppression lists

• Retention Period:

• Indefinitely

• Owner:

• Sales and marketing

• Reason / Comments:

• To ensure legal compliance and to not break any laws in regards to contacting people who have opted out of communications. These can be updated by individuals at any time.

Transaction Data (Customers)

• Type of Data:

• Transaction data (showing purchases made by customers)

• Retention Period:

• Duration of contract + 6 years

• Owner:

• Sales and marketing

• Reason / Comments:

• Necessary in case there is a legal claim relating to a transaction.

Third Party Supplier Records

• Type of Data:

• Business contact information of suppliers

• Retention Period:

• Duration of contract + 6 months or longer if there is an ongoing dispute with the supplier.

• Owner:

• Sales and marketing

• Reason / Comments:

• Data to be retained after termination of the supplier’s contract on the basis that there may be issues that need to be resolved post-termination, such as paying fees, resolving complaints, etc. Data may be retained for longer if there is an ongoing dispute with the supplier.

‍

• Type of Data:

• Transaction data (showing purchases made from suppliers)

• Retention Period:

• Duration of contract + 6 years

• Owner:

• Sales and marketing

• Reason / Comments:

• Necessary in case there is a legal claim relating to a transaction.

Supplier Contracts

• Type of Data:

• Supplier contracts

• Retention Period:

• Duration of contract + 6 years

• Owner:

• Sales and marketing

• Reason / Comments:

• Necessary in case there is a legal claim relating to a supplier’s contract.

Financial Data

• Type of Data:

• Financial data (bank account details, payment card details)

• Retention Period:

• Delete as soon as possible after expiration/termination of the contract when final payments have been made

• Owner:

• Finance

‍