ComplianceRAG / sample_document.txt
Faraz618's picture
Create sample_document.txt
d3ce377 verified
Raw
History Blame Contribute Delete
3.03 kB
DATA RETENTION AND PRIVACY POLICY
Acme Financial Services — Internal Compliance Document
Effective Date: January 1, 2026
SECTION 1: PURPOSE AND SCOPE
This policy governs how Acme Financial Services collects, retains, and disposes of customer data. It applies to all employees, contractors, and third-party vendors who process customer information on behalf of the company. This policy was last reviewed by the Compliance Committee on December 15, 2025.
SECTION 2: DATA RETENTION PERIODS
Customer transaction records must be retained for a minimum of seven (7) years from the date of the transaction, in accordance with financial regulatory requirements. Know Your Customer (KYC) documentation must be retained for five (5) years after the customer relationship ends. Marketing communication consent records must be retained for three (3) years after consent is withdrawn or the customer relationship ends, whichever comes first.
SECTION 3: DATA DELETION PROCEDURES
Upon expiry of the applicable retention period, data must be securely deleted within thirty (30) days. Deletion requests from customers under applicable privacy law must be processed within forty-five (45) days of verified request, except where retention is legally mandated for regulatory or audit purposes. All deletions must be logged in the Data Governance Register, including the date, the data category, and the employee who authorized the deletion.
SECTION 4: THIRD-PARTY DATA SHARING
Customer data may only be shared with third parties under a signed Data Processing Agreement (DPA) that meets the standards set out in Appendix C. Marketing data may not be shared with third parties for their own marketing purposes without explicit, separate customer consent. Any data shared with a third party located outside the approved jurisdiction list (Appendix A) requires sign-off from the Chief Compliance Officer.
SECTION 5: BREACH NOTIFICATION
In the event of a data breach affecting customer information, the Compliance team must be notified within four (4) hours of discovery. Affected customers must be notified within seventy-two (72) hours if the breach poses a risk to their rights and freedoms, in line with applicable data protection regulation. The Compliance Committee must complete a full post-incident review within fourteen (14) days of breach containment.
SECTION 6: EMPLOYEE ACCESS CONTROLS
Access to customer data is granted strictly on a need-to-know basis and must be approved by the employee's department head. Access logs are reviewed quarterly by Internal Audit. Any employee found to have accessed customer data without a legitimate business reason will be referred to HR for disciplinary review, which may include termination.
SECTION 7: POLICY REVIEW
This policy is reviewed annually by the Compliance Committee, or sooner if required by a material change in applicable law. The next scheduled review is January 2027. Questions regarding this policy should be directed to the Compliance Officer at compliance@acmefs.example.