Data Retention & Deletion Policy

Last Updated: 10.06.2026

Purpose: The purpose of this Data Retention Policy is to outline the principles and procedures for retaining, storing, and disposing of data at MULTI-ME Ltd. This policy ensures compliance with legal, regulatory, and contractual requirements, and supports the effective management and protection of information assets..d

Scope: This policy applies to all types of data created, received, or maintained by MULTI-ME Ltd., including electronic and physical formats. It covers all employees, contractors, and third-party service providers who handle data on behalf of the company.

1. Policy Statement

MULTI-ME Ltd. is committed to managing data in a way that meets legal, regulatory, and business requirements while ensuring the protection of personal and sensitive information. Data will be retained for only as long as necessary to fulfil the purposes for which it was collected or as required by law.

2. Data Retention Periods

Data retention periods will vary based on the type of data and applicable legal or regulatory requirements. The following table outlines the general retention periods for various categories of data:

3. Data Storage and Security

  • Storage: Data will be stored securely in accordance with the company’s information security policies and procedures. Both electronic and physical data storage solutions must ensure protection against unauthorized access, alteration, or destruction.

  • Access Control: Access to data will be restricted to authorized personnel only, based on their roles and responsibilities.

  • Encryption: Sensitive data, especially personal data and financial information, must be encrypted both in transit and at rest.

4. Data Disposal

  • Regular Review: Departments must regularly review the data they hold to ensure compliance with the retention periods outlined in this policy.

  • Disposal Methods: Data that is no longer required will be disposed of securely. Electronic data will be permanently deleted or overwritten, and physical data will be shredded or otherwise rendered unreadable.

  • Documentation: The disposal of data must be documented, including the date, method of disposal, and the person responsible for the disposal.

5. Roles and Responsibilities

  • All Employees: Adhere to the data retention periods and procedures outlined in this policy.

  • Department Heads: Ensure that data within their departments is managed in accordance with this policy, including regular review and secure disposal.

  • Information Security Officer (ISO): Oversee the implementation of data retention and disposal practices, ensuring compliance with ISO 27001 and other relevant standards.

  • Human Resources (HR): Manage the retention and disposal of employee records.

  • Legal Department: Ensure that data retention practices comply with legal and regulatory requirements.

  • IT Department: Implement and manage technical controls for data storage, access, and disposal.

6. Policy Review

This Data Retention Policy will be reviewed annually or as needed to ensure it remains relevant and compliant with applicable laws and regulations. Any changes to the policy will be communicated to all employees and relevant stakeholders.

7. Data Controller and Data Processor Responsibilities

Where Multi-Me Ltd. acts as a Data Processor on behalf of customer organisations, retention periods for customer data will be determined primarily by the Data Controller and documented within contractual agreements, Data Processing Agreements (DPAs), or customer instructions.

Multi-Me Ltd. will retain, delete, return or anonymise personal data in accordance with documented instructions from the Data Controller, unless otherwise required by applicable law.