By KTA Management |

Data Retention Policy

1. Introduction

The purpose of this Data Retention Policy is to establish guidelines for the lawful and secure management of data within Kan Tor and Acco, a law firm, while ensuring compliance with the General Data Protection Regulation (GDPR).

2. Policy Scope

This policy applies to all employees, contractors, and third parties who have access to and control over data stored within the firm’s Zoho CRM and Office 365 environment.

3. Data Classification

All data should be classified based on its sensitivity and legal requirements. Categories may include: confidential client data, financial data, HR records, and general business data.

4. Data Retention Schedule

The firm will establish a data retention schedule specifying the retention periods for different data categories. This schedule will be based on legal, regulatory, and business requirements.

5. Data Retention Principles

  • Data will be retained for no longer than necessary for the purposes for which it was collected.
  • Data will be deleted or anonymized once the retention period expires.
  • Data owners and responsible individuals will review and validate data retention periodically.

6. Legal Obligations

  • The firm will comply with GDPR, as well as any other applicable data protection laws and regulations.
    The firm will retain data necessary for legal and regulatory compliance.

7. Data Handling

  • Data will be stored securely within Office 365 services and Zoho CRM.
  • Access to data will be controlled through appropriate permissions and authentication mechanisms.
  • Data will be encrypted both in transit and at rest.

8. Data Retention Procedures

  • The IT department will implement automated data retention and deletion policies within Office 365 and Zoho CRM.
  • The data retention schedule will be reviewed and updated as necessary to align with changing legal requirements.

9. Data Subject Rights

  • The firm will respect data subjects’ rights, including the right to access, rectify, and erase their data.
  • Data subjects may exercise their rights by contacting the Data Protection Officer (DPO) or another designated contact.

10. Training and Awareness

  • All employees will receive training on this policy and data protection best practices.
  • Employees will be informed of their roles and responsibilities in data retention and compliance.

11. Monitoring and Auditing

A dedicated Microsoft Partner will regularly monitor and audit data retention and deletion procedures to ensure compliance with the policy.

12. Reporting and Incident Response

Any data breaches or incidents related to data retention will be reported to the DPO and appropriate authorities as required by GDPR.

13. Review and Updates

This policy will be reviewed and updated periodically to ensure its effectiveness and alignment with changing legal requirements.

14. Implementation

This policy will be communicated to all employees and relevant stakeholders and will be considered effective upon the date of publication.

15. Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.

16. Contact Information

For questions, concerns, or requests related to data retention, contact the Data Protection Officer (DPO), Partner Amit Acco