DIVA PLUS EOOD – UIC 175013870 Sofia, Bakston District, Bl. 19, Entr. A, Apt. 6, Bulgaria | https://divaplus.org/

1. Purpose, Scope and Users

This Policy defines the required retention periods for certain categories of personal data and sets the minimum standards to be applied when destroying certain information at DIVA PLUS EOOD (hereinafter the “Company”).

The Policy applies to all business units, processes and systems in all countries where the Company operates, and to all relationships with third parties. It applies to all directors, employees, agents, contractors, consultants and service providers who may collect, process or access data, including personal data and sensitive personal data. All of the above are responsible for familiarising themselves with this Policy and ensuring its adequate compliance.

2. Scope of Information

The rules of this Policy apply to all information used within the Company, including:

  • emails and paper documents;
  • electronic documents;
  • video or audio materials;
  • data generated by physical access control systems.

Reference documents: Regulation (EU) 2016/679 (GDPR), applicable national legislation, the Data Protection Policy and the Retention Rules of DIVA PLUS EOOD.

3. Retention Periods

Where a category of documents is not specifically identified in this Policy or in the Data Retention Schedule, and is not otherwise governed by applicable law, the required retention period for such a document shall be deemed to be 10 years from the date of the document’s last update.

The Data Controller determines retention periods for documents and electronic records through the General Retention Schedule. Retention periods may be extended in the case of:

  • ongoing investigations by Member State authorities;
  • the need to demonstrate compliance with legal requirements;
  • the exercise of legal rights in court proceedings or similar processes.

During the retention period, the risk of media deterioration must be considered. When using electronic media, the procedures and systems ensuring access to information and readability of formats must be maintained to prevent loss of information resulting from technological changes. Responsibility for retention lies with the Data Controller.

4. Destruction of Data

The Company and its employees must regularly review all data stored electronically or on paper to determine whether it should be destroyed once the purpose for which it was created is no longer relevant.

Once a decision to destroy has been made in accordance with the Retention Schedule, data must be erased or destroyed in a manner proportionate to its value and level of confidentiality. The method of destruction depends on the nature of the document:

  • Documents containing sensitive or confidential information, including sensitive personal data – destroyed as confidential waste and subject to secure electronic deletion.
  • Expired or superseded contracts – may be internally shredded.
  • Documents without confidential information – may be recycled without record-keeping

Destruction may be carried out by an employee or by an internal or external service provider, in compliance with all applicable legal requirements and the Data Protection Policy.

5. Controls and Security

Adequate controls must be in place to prevent permanent loss of essential information through malicious or accidental destruction. These controls are described in the Information Security Policies of DIVA PLUS EOOD.

The Data Controller is responsible for documenting and approving the destruction process, ensuring full compliance with all legal requirements. Only authorised employees have access to the records.

6. Routine Destruction

Documents that may be routinely destroyed – unless subject to ongoing legal or regulatory investigation – include:

  • daily announcements and notices;
  • requests for routine information;
  • supporting documents without added value;
  • outdated lists and duplicate documents;
  • outdated publications, trade catalogues and newsletters.

Destruction is subject to disclosure requirements in the context of litigation.

7. Document Classification

Documents are classified by level according to their degree of confidentiality:

  • Level 1 – Highest security (containing personal data): subject to secure destruction with evidence thereof.
  • Level 2 – Confidential (without personal data): destroyed by shredding and controlled disposal.
  • Level 3 – Standard (without confidential information): may be recycled without record-keeping.

8. Responsibilities and Consequences of Non-Compliance

The Data Protection Officer is responsible for ensuring all Company departments comply with this Policy and assists authorities with data protection enquiries. Any suspected breach of the Policy must be immediately reported and investigated.

Non-compliance with this Policy may result in:

  • loss of trust from clients and partners;
  • litigation and financial losses;
  • reputational damage to the Company.

Violations by employees or third parties may lead to disciplinary measures, termination of contractual relationships or legal action.

This Policy is adopted by the management of DIVA PLUS EOOD and enters into force from the date of its publication on the website https://divaplus.org/