Data Retention Policy

Purpose:

To establish guidelines for retaining, managing, and disposing of data collected, processed, and stored by Pitaka in compliance with applicable Philippine laws and regulations, such as the Data Privacy Act of 2012 and relevant financial regulations.

Scope:

This policy applies to all Pitaka employees, contractors, third-party service providers, and any individuals who handle or store data on behalf of Pitaka. It governs the retention, archiving, and disposal of both digital and physical records.

Policy

1. Data Retention Schedule:

Pitaka will retain data only for as long as it is required to fulfill its operational, legal, and regulatory obligations. The data retention periods are defined based on the classification of the data:

a. Public Data:

Retention Period: Retained indefinitely or until the data is no longer useful for business purposes. Examples: Marketing materials, product information, press releases.

b. Internal Data:

Retention Period: Retained for up to 5 years, after which it will be reviewed for archival or disposal. Examples: Internal communications, non-critical business documents.

c. Confidential Data:

Retention Period: Retained for 7 years or as required by law (e.g., financial or regulatory requirements). Examples: Transaction logs, customer account details, contractual agreements.

d. Restricted Data:

Retention Period: Retained for the minimum period necessary to meet legal and regulatory requirements, typically 7 years, unless otherwise required. Examples: Personally Identifiable Information (PII), financial data, legal documents.

2. Legal and Regulatory Compliance:

The retention periods are designed to comply with Philippine laws, such as the Data Privacy Act of 2012, the Anti-Money Laundering Act (AMLA), and financial regulations imposed by the Bangko Sentral ng Pilipinas (BSP). In the event that retention periods differ between regulatory bodies, Pitaka will retain data for the longest period required by any relevant law.

3. Data Archival:

Data that no longer needs to be actively accessed but is still required for regulatory or business purposes will be archived. Archived data must be securely stored and protected, with access limited to authorized personnel only. Archived data must be encrypted and subject to the same data protection protocols as active data.

4. Data Disposal:

Once data has exceeded its retention period and is no longer required for legal, operational, or business purposes, it must be securely disposed of. Disposal of confidential and restricted data must follow secure destruction methods, such as encryption wiping or physical shredding, ensuring that it cannot be reconstructed or recovered by unauthorized parties. A record of data disposal must be maintained to demonstrate compliance with this policy.

5. Exceptions to Data Retention Periods:

Exceptions to the retention schedule may be applied in cases where legal holds or litigation matters require data to be preserved for extended periods. The Data Governance Committee will approve any exceptions and document the rationale for the extended retention.

6. Data Retention for Financial Transactions:

Financial transaction records, including receipts, invoices, and audit logs, must be retained for a minimum of 7 years as per Philippine financial regulations. These records must be accessible for audits and inquiries by regulatory bodies.

7. Data Access and Retrieval:

Archived or retained data must remain accessible to authorized personnel for the duration of its retention period. Access to archived data must be strictly controlled, with detailed records of any data retrieval actions.

8. Data Retention for PII (Personally Identifiable Information):

PII will be retained for the minimum time necessary to meet legal and business requirements. Once the retention period has lapsed, PII will be anonymized or securely disposed of to protect user privacy and comply with the Data Privacy Act of 2012.

9. Audits and Reviews:

Regular audits will be conducted to ensure compliance with this policy and all applicable legal and regulatory requirements. The Data Governance Committee will review data retention practices on an annual basis and adjust retention periods if necessary based on legal or business changes.

10. Data Retention Training:

Employees and contractors responsible for managing and handling Pitaka’s data will receive training on data retention policies, legal requirements, and secure disposal practices. Training will also cover the importance of adhering to retention schedules to ensure regulatory compliance.

11. Policy Enforcement:

Failure to comply with this policy may result in disciplinary action, which could include termination of employment or legal consequences. Violations will be investigated by the Data Governance Committee, and corrective measures will be enforced to prevent future non-compliance.

Purpose:​

Scope:​

Policy​

1. Data Retention Schedule:​

a. Public Data:​

b. Internal Data:​

c. Confidential Data:​

d. Restricted Data:​

2. Legal and Regulatory Compliance:​

3. Data Archival:​

4. Data Disposal:​

5. Exceptions to Data Retention Periods:​

6. Data Retention for Financial Transactions:​

7. Data Access and Retrieval:​

8. Data Retention for PII (Personally Identifiable Information):​

9. Audits and Reviews:​

10. Data Retention Training:​

11. Policy Enforcement:​