Data Retention & Deletion Policy

1. Purpose 

This Data Retention & Deletion Policy – External Summary provides a highlevel overview of how Phonovation Limited manages the retention, protection, and deletion of information, including personal data. It is intended to support customer, partner, and regulatory duediligence activities by outlining the principles and governance applied to dataretention practices. 

This document does not disclose detailed retention schedules, systemspecific configurations, or internal operational procedures. Detailed retention rules, schedules, and evidence are maintained internally as part of Phonovation Limited’s Information Security Management System (ISMS) and dataprotection framework. 

 

2. Scope 

This policy applies to information processed, stored, or transmitted by Phonovation Limited within the scope of its ISMS, including: 

  • Customer and partner information 

  • Personal data processed on behalf of customers 

  • Operational, technical, and business records 

  • Logs, backups, and audittrail data supporting service delivery 

The policy applies across systems, services, personnel, and thirdparty arrangements involved in Phonovation Limited’s operations. 

 

3. Data Retention Principles 

Phonovation Limited applies the following principles to data retention and deletion: 

  • Lawfulness: Data is retained only where there is a valid legal, regulatory, or contractual basis. 

  • Purpose Limitation: Data is retained only for purposes that are defined and legitimate. 

  • Data Minimisation: Data retained is limited to what is necessary for the stated purpose. 

  • Storage Limitation: Data is not retained for longer than necessary. 

  • Security: Data is protected throughout its retention period using appropriate safeguards. 

These principles are aligned with GDPR requirements and ISO/IEC 27001 controls. 

 

4. Retention Periods (High‑Level) 

Phonovation Limited defines retention periods for categories of information based on: 

  • Applicable legal and regulatory obligations 

  • Contractual requirements 

  • Business and operational needs 

  • Riskmanagement and resilience considerations 

Retention periods are documented internally and reviewed periodically. Where required, retention may be extended to support legal claims, regulatory investigations, or compliance obligations. 

 

5. Safeguarding Data During Retention 

Data retained by Phonovation Limited is protected throughout its lifecycle using technical and organisational measures designed to: 

  • Prevent unauthorised access, disclosure, or alteration 

  • Protect against loss or destruction 

  • Ensure continued accessibility where required 

Safeguards are applied proportionately based on the sensitivity and criticality of the data. 

 

6. Secure Deletion and Destruction 

When data is no longer required, Phonovation Limited ensures that it is securely deleted or destroyed in a manner appropriate to the data type and storage medium. 

Deletion and destruction practices are designed to: 

  • Prevent reconstruction or recovery of data 

  • Comply with applicable legal and contractual requirements 

  • Reduce residual dataprotection and security risk 

Detailed deletion methods and schedules are maintained internally. 

 

7. Data Subject Rights 

Where Phonovation Limited processes personal data, it supports datasubject rights in accordance with the General Data Protection Regulation (GDPR), including rights relating to access, rectification, erasure, restriction, portability, and objection. 

Requests are handled through established processes designed to ensure timely and lawful responses. 

 

8. Data Minimisation and Periodic Review 

Phonovation Limited promotes data minimisation throughout the data lifecycle. Periodic reviews are conducted to: 

  • Identify redundant, obsolete, or unnecessary data 

  • Confirm continued retention is justified 

  • Support timely deletion or anonymisation where appropriate 

 

This approach helps reduce dataprotection and security risks. 

 

9. Retention for Incident Response, Audit and Resilience 

Certain categories of data, such as logs and audit trails, are retained to support: 

  • Information security monitoring and incident response 

  • Compliance and audit requirements 

  • Operational resilience and service recovery 

Retention of such data is proportionate and aligned with regulatory and resilience obligations, including those arising under DORA where applicable. 

 

10. Alignment with Business Continuity and Resilience 

Dataretention practices are aligned with Phonovation Limited’s businesscontinuity and disasterrecovery objectives to ensure that critical information remains available to support recovery and continuity activities. 

11. Governance and Oversight 

Dataretention and deletion activities are supported by defined roles and responsibilities within Phonovation Limited. Oversight mechanisms ensure that retention practices remain compliant, effective, and aligned with organisational objectives. 

Retention risks and improvement opportunities are reviewed as part of broader information security and data protection governance activities 

 

12. Policy Review 

This Data Retention & Deletion Policy – External Summary is reviewed periodically to ensure it remains appropriate and aligned with: 

  • Changes in business operations or services 

  • Evolving legal, regulatory, and contractual requirements 

  • Information security and data protection best practices 

Detailed internal retention schedules, procedures, and evidence are maintained and made available to authorised parties under appropriate confidentiality arrangements.