Legal

Data Retention Policy

How we retain and protect data in line with NDPA 2023 and GDPR.

Introduction

The purpose of this policy is to establish a uniform standard for data retention at LWC. We strive to retain data strictly for the duration necessary to satisfy the objectives for which it was originally obtained. Upon the expiration of the required retention period, LWC's protocol requires the complete erasure of such data.

These guidelines are to be strictly adhered to by all organizational units to ensure regulatory compliance and operational integrity.

Scope

This policy encompasses all data collected by LWC and stored on company-owned or leased systems and media, irrespective of geographic location. It applies to all formats, including electronic records (such as photographs, video, and audio recordings) and physical hard-copy files. Retention requirements are governed by the Nigeria Data Protection Act (NDPA) 2023, the EU General Data Protection Regulation (GDPR), and defined legitimate business interests. For how we collect and use personal data, see our Privacy Policy.

Reasons for data retention

LWC maintains only the data essential for its operational efficiency, the fulfillment of its mission, and strict adherence to all applicable laws and regulations.

LWC maintains data for the following legitimate purposes:

  1. Service Delivery & Stakeholder Engagement: To facilitate ongoing services for data subjects, including the distribution of newsletters and program updates, administration of training programs, and the processing of payroll and employee benefits.
  2. Statutory & Financial Compliance: To adhere to legal requirements concerning financial reporting to shareholders and the submission of mandatory disclosures to regulatory agencies for the maintenance of business licenses and permits.
  3. Legal & Administrative Obligations: To ensure compliance with applicable labor, taxation, and immigration laws.
  4. Regulatory Adherence: To satisfy other industry-specific or governmental regulatory requirements.
  5. Security & Risk Management: To support security incident investigations or other internal and external forensic inquiries.
  6. Asset & Legal Protection: To facilitate the preservation of intellectual property and the management of active or anticipated litigation.

Data duplication

LWC prioritizes the elimination of redundant data storage to optimize system efficiency and security. While the organization endeavors to avoid duplication, multiple copies may be maintained where justified by operational necessity or specific business requirements. Regardless of the number of iterations or storage locations, this policy applies universally to all data in LWC's possession, including all backup and duplicate copies.

Retention requirements

LWC has set the following guidelines for retaining all personal data as defined in its data privacy policy:

  1. Website visitor data will be retained as long as necessary to provide the service requested/initiated through the LWC website.
  2. Personal data of Guarantors, Contractors, Subcontractors and Vendors will be kept for the duration of the contract or agreement.
  3. Employee data will be held for the duration of employment and then five years after the last day of employment.
  4. Data associated with employee wages, leave and pension shall be held for the period of employment plus five years.
  5. Recruitment data, including interview notes of unsuccessful applicants, will be held for one year after the closing of the position recruitment process.
  6. Consultant (both paid and pro bono) data will be held for the duration of the consulting contract plus two years after the end of the consultancy.
  7. Data associated with tax payments (including payroll, corporate, and VAT) will be held for five years.
  8. Operational data related to business proposals, reporting, and training programs will be held for the period required by LWC's Management, but not more than five years.

Data destruction

To ensure responsible data management, LWC mandates the active destruction of data once its retention period has lapsed. Employees who believe certain information warrants further retention for business reasons must report this to their supervisor with a formal justification. All policy exceptions are subject to approval by the Data Protection Officer and legal counsel. Furthermore, a litigation hold may be implemented by the legal department in rare instances, overriding standard destruction protocols to preserve evidence for legal matters.

If you have questions about this policy or your data, please contact us.