Data Retention & Disposal Policy
Zammit Corporate Limited
Effective Date: 5/12/2025
Version: 1.0
1. Purpose
This Data Retention & Disposal Policy establishes the rules by which Zammit Corporate Limited (“the Company”) retains, stores, archives, and disposes of personal data.
The policy ensures compliance with:
- The General Data Protection Regulation (GDPR)
- The Maltese Data Protection Act (Chapter 586)
- Local laws governing employment, taxation, accounting, and corporate record-keeping
The objective is to ensure personal data is kept no longer than necessary and is securely disposed of when no longer required.
2. Scope
This policy applies to all personal data processed by Zammit Corporate Limited, in all formats:
- Digital files
- Paper documents
- Email and communications
- Cloud storage
- Archived records
It applies to all employees, contractors, consultants, and third-party processors acting on behalf of the Company.
3. Principles
In line with Article 5 of GDPR, the Company adheres to the following:
- Storage Limitation
Personal data must not be kept longer than necessary. - Purpose Limitation
Data must only be stored for the purposes it was collected. - Security and Integrity
Archived and active data must be stored securely. - Accountability
The Company must maintain documented retention periods.
4. General Retention Rules
The Company follows these general rules unless specific laws require otherwise:
- Data is retained only for as long as necessary to fulfil contractual, legal, or legitimate business purposes.
- Where retention periods are not legally defined, the Company applies industry-standard best-practice periods.
- Once a retention period has expired, data must be securely deleted, anonymised, or archived in a non-recoverable manner.
- If litigation, audits, or investigations are pending, relevant data must not be destroyed until closure.
5. Key Retention Periods
Below are the recommended retention timelines based on Maltese legal obligations and corporate advisory sector standards.
A full retention table can be provided on request.
5.1 Client Records
|
Document Type |
Retention Period |
Legal Basis |
|
Client onboarding forms / KYC (if applicable) |
5 years after end of relationship |
AMLD requirements (if applicable to services) |
|
Contracts, proposals, advisory reports |
10 years |
Maltese commercial & tax laws |
|
Client correspondence & email |
5 years from last interaction |
Legitimate interest + limitation periods |
|
Project documentation |
10 years |
Professional service obligations |
5.2 Accounting & Finance
|
Document Type |
Retention Period |
Legal Basis |
|
Invoices, receipts, ledgers |
10 years |
VAT Act & Income Tax Management Act |
|
Payroll and salary records |
10 years |
Employment law + tax laws |
|
Bank statements and reconciliations |
10 years |
Commercial Code obligations |
5.3 Human Resources (HR)
|
Document Type |
Retention Period |
Legal Basis |
|
Employee personnel files |
5 years after termination |
Employment rules |
|
Contracts of employment |
10 years |
Contract limitation rules |
|
Attendance records |
2 years |
Employment law guidance |
|
Recruitment records (CVs, applications) |
1 year from decision |
Legitimate interest & discrimination defence |
|
Training records |
5 years |
Professional recordkeeping |
5.4 IT, Systems & Security
|
Document Type |
Retention Period |
Notes |
|
Access logs & system logs |
6–12 months |
Security monitoring |
|
Backup files |
Up to 12 months unless critical data |
Rolling backup cycles |
|
Email accounts (ex-employees) |
Max 6 months after termination |
Data minimisation |
Zammit Corporate Limited does not use CCTV or biometric systems, so there are no retention obligations for these categories.
5.5 Marketing & Communications
|
Document Type |
Retention Period |
Legal Basis |
|
Mailing lists (with consent) |
Until consent withdrawn |
GDPR Article 7 |
|
Contact form submissions |
2 years |
Legitimate interest |
5.6 Corporate Governance
|
Document Type |
Retention Period |
|
Board meeting minutes |
Permanently |
|
Shareholder resolutions |
Permanently |
|
Compliance documentation |
10 years |
6. Storage & Archiving
The Company shall ensure:
- Secure storage of all personal data using appropriate technical and organisational measures.
- Archived data is access-restricted and encrypted where feasible.
- Data stored in cloud systems is governed by Data Processing Agreements (DPAs).
- Paper documents are kept in locked cabinets or controlled-access offices.
7. Secure Disposal of Data
When retention periods expire, personal data must be securely disposed of using one of the following methods:
Digital Data
- Secure deletion using industry-standard overwriting tools
- Cryptographic erasure
- Removal from active systems and backups
Paper Documents
- Cross-cut shredding
- Certified document destruction services
The method chosen must ensure data cannot be reconstructed.
8. Suspension of Deletion (Legal Hold)
Deletion must be paused if:
- Litigation is pending or anticipated
- An audit or investigation is ongoing
- A regulatory request is received
During this period, no related data may be altered or deleted.
9. Roles & Responsibilities
Data Protection Officer
- Oversees compliance with this policy
- Maintains the retention schedule
- Ensures regular audits
- Approves disposal requests
Employees
- Must follow retention rules
- Must not delete records outside authorised procedures
- Must report possible non-compliance immediately
Third-Party Processors
- Are required by contract to follow equal or stronger retention and deletion standards.
10. Policy Review
This policy shall be reviewed at least annually or when:
- Laws or regulatory requirements change
- New systems or data categories are introduced
- Audit findings indicate the need for update