Data Retention Policy

OTG-DP-POL-206

Date: FEB 2025

1. Purpose

Ocean Technologies Group (“OTG”) collects, stores and processes information related to its business operations, employees, and customers.  OTG is required to maintain such information in a secure way and enforce controls on its retention and disposal activities.  This Policy identifies the appropriate retention and disposal requirements for certain types of data for OTG to comply with applicable Data Protection Laws.

2. Scope

This Policy applies to OTG and to its directors, officers, employees, and non-employee workers.  This Policy also applies to third parties who adopt this policy by contract or upon the request of OTG (including contractors).

This Policy applies to all information created, received, held, and processed by OTG in the conduct of its business, regardless of whether OTG collect such information itself or whether it is received from a third party (including another OTG group company), and regardless of whether such information is hosted within OTG or on a third-party infrastructure, platform, or service on OTG’s behalf.

This Policy should be read in conjunction with and as a complement to other policies and procedures established by OTG, including the Global Privacy Policy.

3. Definitions

4. General Principles

OTG, as a rule will need to:

• classify the documents/records it holds and decide whether (and how long) to retain them by reference to the purpose or purposes for which it holds the data.
• keep in mind that personal data should be deleted or anonymized when it is no longer needed for the purpose or purposes for which it was collected or held.
• securely delete or anonymize records/documents when they reach the end of their prescribed retention period.
• regularly review the personal data it holds, and the length of time it retains such personal data for.
• regularly review and if necessary, update documents containing personal data to ensure it stays up to date.
• archive documents which no longer need to be accessed regularly but are of long-term relevance to the business.

Information should be retained and securely disposed of according to legal, regulatory, contractual, and business requirements.

Many legal and regulatory requirements will dictate how long that OTG should keep information.  For example, some business documents, such as accounting and HR documents (e.g. PAYE records), must be kept for a minimum period under legislation and some must be kept for a minimum period in case of future legislation.

5. Retention of Personal Data

Personal data should not be retained for a longer period than is necessary in relation to the purposes for which it was collected or for which it is further processed.  What period is ‘necessary’ will differ depending on the information concerned and the purposes for which that information was collected and is used.  If the personal data is altered so that it no longer permits identification of the individual, even in combination with other information whether within OTG or outside of it (e.g. because it is anonymized), then it may be retained indefinitely.

Note, however, that: (i) pseudonymized data is still considered personal data and shall be processed in accordance with applicable Data Protection Laws; and (ii) true anonymization can be difficult to achieve in practice and so in many cases it will likely be simpler to delete personal data that is no longer needed.

6. Disposal of Personal Data

If a document is no longer needed for business purposes or to comply with legal requirements, it should normally be destroyed or anonymized.  Destruction of documents refers to the irreversible deletion of digital documents and the physical destruction of paper and other non-digital documents.

Electronic data should be permanently deleted so that it is not possible to retrieve the relevant data.  Hard copy documents containing personal data should be disposed of using confidential waste bins or shredders and should not be thrown away with regular rubbish.

Requirements

• Data storage and retention periods for information held in IT systems as physical records are defined by legal, regulatory, contractual, and business requirements.
• The retention schedules attached in Appendix 1 – set out the periods of time per categories of documents (e.g. tax and accounting records, payroll documents) for which OTG’s business information is to be retained.
• Information should be held in accordance with the Information Security Policies the IT function should develop the necessary procedures, processes, and guidelines to define the required data protection controls including any related physical records.
• Physical records should be stored in a manner that provides protection and security to a degree proportional to their importance and sensitivity. Physical records that are deemed vital to OTG should be stored in a fireproof safe or vault.
• If records are stored offsite at a third-party provider’s facility, OTG should ensure that it uses a professional records management company and facility with appropriate security, fire safety and environmental controls.
• A register of physical information assets transferred to and stored in offsite storage facilities must be maintained.
• Information held by OTG shall be reviewed periodically to ensure that it does not exceed the specified retention period and is securely disposed of accordingly.
• Any personal data is subject to the Global Privacy Policy and it is important that such data is securely disposed of once it is no longer required to fulfil the purpose for which it was collected, and it is not required to comply with any legal obligation.
• Where possible, an automated process shall be developed to remove the stored data in IT systems that exceeds business, regulatory and legal retention requirements on a regular basis.
• For manual destruction, the approval of the information owner must be obtained prior to removing the data and confirmation shall be sent to the information owner after such data removal.
• If a claim, litigation, government or regulatory investigation, internal investigation, audit, subpoena or any other legal action or request is anticipated, threatened, or commenced, the destruction of all relevant information, which may otherwise be destroyed in accordance with this policy, must cease immediately.
• All data to be archived shall be backed up on at least two separate media which must be stored in appropriate physical and environmental conditions suitable to long-term archival storage.

7. Retention of Customer Data

Customer data should not be retained for a longer period than that which have been contractually agreed with the customer. The retention period is contractual agreed at the duration given in the table below for the different data types. In some cases customers may change the retention period and if this is the case those retention period should be adhered to, however some customer data types must be retained for a specific period legal reasons and the mandatory retention periods for this data takes precedence over anything that the customer has requested.

8. Disposal / Return of Customer Data

Customer data should be permanently deleted so that it is not possible to retrieve the relevant data.  Where its’ not feasible to extract customer data from backup or archive copies, for example, this can be retained and deleted according to this policy.

9.  Escalation

• The Head of Compliance is responsible for resolving questions about the appropriate interpretation of this Policy considering legal and regulatory requirements, with input from external Legal when required, as well as responsible for resolving any escalated questions about interpreting this Policy.

If you require detailed information about a specific geographical location, please refer to the full Data Retention Policy document here.