Governing the retention, storage, and secure disposal of all ExactFlow records
Effective Date: 1 April 2026 | Version 1.0 | Classification: Internal — All Staff
| Document Type | Records Retention & Documentation Policy |
| Owner | Data Protection Officer (DPO) in coordination with Legal, Finance, and Compliance |
| Contact | privacy@exactflow.com |
| Applies To | All ExactFlow staff, contractors, and systems holding ExactFlow records in any format |
| Review Cycle | Annual — or following a change in applicable law or business structure |
| Legal Frameworks | GDPR Art. 5(1)(e); Polish Accounting Act (Art. 74); Polish AML Act (Art. 49); Polish VAT Act; Polish Tax Ordinance (Art. 70); Polish Labour Code; Polish Social Insurance Act; Polish Civil Code; EU AML Directives |
Records must not be kept longer than the maximum period — overly long retention violates GDPR's storage limitation principle. Records must not be deleted before the minimum period — early deletion may destroy evidence required for legal, regulatory, or audit purposes. When in doubt, consult the DPO before deleting.
Personal data must not be kept in identifiable form longer than necessary for the processing purpose. ExactFlow's retention periods balance: the minimum time required for the business purpose; legal and regulatory minimum requirements; and the maximum time permitted under GDPR storage limitation.
Where a legal hold is issued (by ExactFlow's legal team or in response to regulatory investigation, court order, or litigation threat), all records subject to the hold are exempted from routine deletion until the hold is lifted. Legal holds are issued by ExactFlow legal counsel and registered in the Legal Hold Register maintained by the DPO.
Personal data: cryptographic erasure or secure overwriting per NIST 800-88; physical media — shredding by certified data destruction company with destruction certificate retained
Confidential business records: secure deletion from all systems and backups; physical documents shredded
Standard records: standard deletion; paper recycling
All disposal actions logged in the Records Disposal Log maintained by the DPO. Backups purged of deleted records within 30 days of deletion.
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| Customer Accounts | Account registration; identity verification; contact details; Account Administrator records | Duration of Account | Account + 3 years | GDPR Art. 6(1)(f) — legitimate interests (customer service, legal claims) | Secure deletion; anonymise residual analytics |
| Order and Transaction | Order confirmations; transaction IDs; product details; quantities; prices; order status history | 7 years | 7 years | GDPR Art. 6(1)(c) — Polish Accounting Act Art. 74; VAT Act | Secure deletion after 7 years |
| Payment Records | Transaction references; last 4 digits; payment method; billing address; tokenized references | 5 years | 7 years | GDPR Art. 6(1)(c) — AML Act (5 years); VAT Act (5 years); Accounting Act (7 years) — apply longest | Secure deletion; token revocation |
| Invoices and VAT Records | Sales and purchase invoices; VAT calculations; VAT returns; Intrastat declarations | 5 years | 7 years | GDPR Art. 6(1)(c) — Polish VAT Act; Polish Accounting Act Art. 74 | Secure deletion |
| Consumer Withdrawal | Withdrawal requests; refund confirmations; return shipping; refund payment records | 3 years | 3 years | GDPR Art. 6(1)(b)/(c) — consumer rights claims period; Directive 2011/83/EU | Secure deletion |
| Product Safety and Recall | Safety incident reports; recall records; affected customer lists; notifications sent | 10 years | Indefinite where proceedings pending | GDPR Art. 6(1)(c) — Product Liability Directive; GPSR (EU) 2023/988 | Secure deletion after 10 years unless legal hold |
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| CDD / KYB Documentation | Identity documents; company registration; beneficial ownership; PEP screening; verification decisions | 5 years from end of relationship | 5 years; 6 years where SAR filed | Polish AML Act Art. 49; EU 4AMLD Art. 40 | Secure deletion with destruction certificate |
| AML Transaction Records | Transactions subject to AML monitoring; structuring alerts; manual review decisions | 5 years from transaction | 5 years from transaction | Polish AML Act Art. 49 | Secure deletion |
| Suspicious Activity Reports | SAR filings; supporting analysis; decisions not to file with reasons | 5 years from filing | Indefinite pending investigation closure | Polish AML Act Art. 49; criminal procedure law | Secure deletion after legal hold lifted |
| Sanctions Screening | Screening results; match decisions; false positive analysis; confirmed matches and actions | 5 years | 5 years | Polish AML Act; EU Sanctions Regulations | Secure deletion |
| AML Training Records | Training completion; content versions; assessment results | Employment + 5 years | Employment + 5 years | Polish AML Act Art. 52 — training obligation evidence | Secure deletion |
| AML Risk Assessment | Enterprise-wide ML/TF Risk Assessment documents | Current + 5 previous versions | Current + 5 previous versions | Polish AML Act Art. 27; FATF Recommendations | Previous versions deleted after superseded by 5 newer versions |
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| Recruitment — Unsuccessful | CVs; interview notes; assessment results — rejected candidates | 6 months from rejection | 2 years with candidate consent | GDPR Art. 6(1)(b)/(a) — pre-contractual; consent | Secure deletion; notify candidate before talent pool deletion |
| Employee Personnel Files | Employment contract; personal details; role; salary; performance; disciplinary records | Employment + 5 years | Employment + 10 years | GDPR Art. 6(1)(b)/(c) — Contract; Polish Labour Code; social insurance | Secure deletion after maximum period |
| Payroll and Social Insurance | Payroll records; ZUS contributions; PIT-11 statements | 5 years after end of year | 50 years from employment start (post-January 2019 contracts — ZUS obligation) | GDPR Art. 6(1)(c) — Labour Code; Social Insurance Act of 17 December 1998 on Pensions | Secure deletion; note ZUS 50-year obligation |
| Security Training Records | Mandatory training completion; AML training; data protection; phishing simulation results | Employment + 3 years | Employment + 5 years | GDPR Art. 6(1)(c) — AML Act training; GDPR accountability | Secure deletion |
| Background Check Results | Pre-employment background check results | Duration of employment | Employment + 1 year | GDPR Art. 6(1)(b)/(c) — employment law; security obligation | Secure deletion immediately after maximum period |
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| Contracts and Agreements | Seller Agreements; Client Subscriptions; DPAs; NDAs; Supplier Contracts; employment contracts | Duration + 10 years | Duration + 10 years | GDPR Art. 6(1)(f); Polish Civil Code limitation period (10 years B2B; 3 years consumer claims) | Secure deletion; paper originals shredded |
| Regulatory Correspondence | Letters from UODO, GIIF, KNF, UOKiK, courts; ExactFlow responses; regulatory decisions | 5 years from resolution | 10 years from resolution | GDPR Art. 6(1)(f) — legitimate interests; administrative procedure law | Secure deletion |
| Legal Proceedings | Court filings; legal opinions; settlement agreements; judgment records | Duration + 10 years | Duration + 10 years | Polish Civil Code limitation periods; GDPR Art. 6(1)(f) | Secure deletion after limitation period |
| Data Subject Rights Requests | All SARs; rectification, erasure, restriction, portability, objection requests; responses; verification records | 3 years from closure | 5 years from closure | GDPR Art. 6(1)(c) — accountability; Art. 5(2) | Secure deletion |
| Data Protection Impact Assessments | DPIAs; pre-consultation UODO correspondence; DPIA review updates | 3 years from last update | Indefinite while processing continues | GDPR Art. 35 — accountability | Archived; review upon processing change |
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| Security Audit Logs | Access logs; authentication logs; privileged access logs; API logs | 12 months online | 5 years archived | GDPR Art. 32; ISO 27001 A.12; PCI-DSS | Secure deletion / overwrite after 5 years |
| Security Incident Records | Incident reports; forensic evidence; root cause analyses; remediation records | 5 years from closure | 10 years for critical incidents | GDPR Art. 33(5); legitimate interests (legal claims) | Secure deletion after maximum period |
| Breach Register | All personal data breach records regardless of notifiability | 5 years | 5 years | GDPR Art. 33(5) — mandatory record-keeping | Secure deletion after 5 years |
| UODO Notifications | Submitted UODO breach notifications; UODO acknowledgements; correspondence | 5 years | 5 years | GDPR Art. 33(5); accountability | Secure deletion |
| Penetration Test Reports | Annual pentest reports; vulnerability scan reports; remediation tracking | 3 years | 5 years | ISO 27001; PCI-DSS; NIS2 — security programme evidence | Secure deletion; access restricted to CISO and DPO |
| Backup Records | Backup completion logs; restoration test records; encryption key management | 2 years | 5 years | ISO 27001 A.12; GDPR Art. 32 — BCP evidence | Overwrite/delete after maximum period |
| Record Category | Specific Records | Min Retention | Max Retention | Legal Basis | Disposal |
|---|---|---|---|---|---|
| Annual Financial Statements | Audited financial statements; management accounts; directors' reports | 5 years from approval | Permanent | Polish Accounting Act Art. 74(1) | Archive permanently |
| Accounting Records | General ledger; journal entries; trial balances | 5 years from year end | 5 years from year end | Polish Accounting Act Art. 74(2) | Secure deletion after 5 years |
| Board and Shareholder Minutes | Board meeting minutes; shareholder resolutions; statutory books | Permanent | Permanent | Polish Company Law (KSH) | Permanent archive |
| Corporate Registration | KRS registration; articles of association; share register; notarial deeds | Permanent | Permanent | Polish Company Law (KSH) | Permanent archive |
| Tax Returns and Correspondence | CIT; VAT; PIT returns; tax authority correspondence; tax audit records | 5 years from year end | 10 years from year end | Polish Tax Ordinance Art. 70 — 5-year tax reassessment limitation; 10-year maximum for tax fraud | Secure deletion after 10 years |
| Insurance Policies | Current and expired policies; claims records; certificates | Policy duration + 3 years | Policy duration + 10 years | Legitimate interests — insurance claims limitation | Secure deletion after maximum period |
All records must be stored in ExactFlow's authorised document management systems. Storage in personal email, personal cloud storage, or unauthorised applications is prohibited. Access is granted on need-to-know basis under the RBAC framework in the Access Control Policy.
| Role | Responsibility |
|---|---|
| DPO | Own and maintain Retention Schedule; operate Retention Calendar and Records Disposal Log; approve all disposals; manage legal holds; annual policy review; staff training on retention obligations |
| CISO / IT Security | Technical controls for retention and deletion; backup and recovery; secure hardware disposal; access controls on records systems |
| Legal Counsel | Issue and lift legal holds; advise on limitation periods; review retention periods for legal accuracy annually |
| Finance Director | Ensure accounting, tax, and financial records comply with Polish Accounting Act and Tax Ordinance |
| AML Compliance Officer | Ensure AML and KYC records comply with Polish AML Act; manage SAR-related records and extended retention |
| HR Director | Ensure employment and payroll records comply with Polish Labour Code and Social Insurance Act — including ZUS 50-year obligation for post-2019 contracts |
| All Staff | Store records only in authorised systems; do not delete without DPO approval; report accidental deletion immediately to privacy@exactflow.com |
This Records Retention & Documentation Policy complies with: GDPR Art. 5(1)(e) Storage Limitation and Art. 5(2) Accountability; Polish Accounting Act Art. 74; Polish VAT Act; Polish Tax Ordinance Art. 70; Polish AML Act Art. 49; Polish Labour Code; Polish Social Insurance Act (ZUS 50-year obligation for post-2019 employment); Polish Civil Code limitation periods; EU AML Directives; PCI-DSS v4.0; and ISO/IEC 27001:2022 A.18. Annual legal review is mandatory given the complexity of multi-law retention requirements.
— END OF RECORDS RETENTION & DOCUMENTATION POLICY — EXACTFLOW P.S.A. —