DATA RETENTION POLICY

Maintaining business records in a methodical and reliable way is essential to comply with our legal and regulatory requirements. It also reduces the costs and risks associated with retaining unnecessary information.

1. Why Was This Policy Developed?

This policy sets out how 2 Sisters Food Group (“2SFG” or the “Group”) retains, stores and disposes of data in compliance with legal, regulatory and business requirements. Disposing of data too early may cause loss of crucial information. Conversely, keeping it too long may increase risks and costs for the Group. This policy ensures that we:

Keep data only for as long as necessary.
Store data securely to prevent loss, unauthorised access, loss or breaches.
Dispose of data in a controlled and compliant manner when no longer required.
Protect the rights of individuals and organisations whose data we hold.
Maintain accountability for proper data handling and retention

2. What is the Scope of this Policy?

This policy applies to:

Who: all employees, officers, consultants, self-employed contractors, casual workers, agency workers, volunteers, interims and third parties handling data on behalf of the Group.
What: All types of data, including personal data and financial, operational, security and technical data.
Where: All storage locations and types including (without limitation):
- Filing Paper Records – e.g. contracts, invoices, HR documents etc.
- Electronic Records – e.g. databases, emails, system logs, financial records etc.
- Audio/Visual Recordings – e.g. CCTV footage, recordings
- Cloud Systems
- Backup and Archive Data

3. Roles and Responsibilities

All colleagues are responsible for managing the information they create and receive as part of their normal daily business activities and should familiarise themselves with the Retention and Disposal Schedule in Appendix 1. Specific records management responsibilities are also allocated to specific roles and departments. The following have additional responsibilities around retention and disposal:

Site Managers/Department Heads
Legal Team
IT

4. Data Classification and Retention Periods

We categorise data based on its purpose and apply appropriate retention periods based on legislative requirements and/or business need. The Retention and Disposal Schedule in Appendix 1 lists the specific data retention periods which apply.

Information must be kept for the length of time defined in the Retention and Disposal Schedule. The only exception to this rule is if the Legal Team has advised you in writing there is a legal requirement to destroy it sooner.

Data may be retained beyond the stated period in the Retention and Disposal Schedule if required for pending or ongoing legal proceedings, audits or regulatory investigations.

5. Storage and Access Controls

Storage type:

Data and records should, wherever possible, be stored electronically. Keeping hard copy records takes up physical space, costs more to store, manage and dispose of and poses a greater security risk.

The degree of security required for storage will reflect the sensitivity and confidential nature of any material recorded. To protect data from unauthorised access, loss or corruption, we implement the following security measures:

Access Restrictions: Data is stored securely with controlled access based on business need.
Encryption & Protection: Sensitive data is encrypted and stored securely to prevent unauthorised access.
Physical Security: Sensitive records are kept in locked cabinets or access controlled areas.
Cloud and Third-Party Storage: Data stored with external providers is protected under contractual agreements to ensure security and compliance.

6. Secure Data Disposal

When data is no longer needed, it is securely disposed of to prevent unauthorised access or misuse.

Paper Records Documents containing sensitive or confidential information must be either:
- Shredded: shredded using a cross-cut shredder or disposed of using a secure shredding service.
- Placed in a Secure Disposal Bin: Designated bins are provided for confidential waste.

Electronic Data
- Secure Deletion: Data is permanently deleted using industry approved methods.
- Physical Media Disposal: Obsolete hard drives, USB’s and other devices are securely wiped or physically destroyed before disposal.
- Cloud Data: Deletion procedures are enforced through agreements with service providers.

Special Categories of Data
- Highly sensitive data (e.g. health, financial, legal) is deleted using certified secure destruction methods.
- Legal obligations may override deletion in certain cases, such as ongoing investigations.

7. Data Breach Management

If data is improperly retained, accessed or disposed of, it may lead to a data breach.

8. Your Responsibilities

All colleagues must:

Follow this policy when handling, storing or deleting data.
Use only approved storage and disposal methods.
Report any security incidents or unauthorised data access immediately in accordance with our Data Breach Policy.

9. Rights of Individuals

Under UK GDPR, individuals have the right to:

bAccess
their personal data.
Rectify inaccurate or incomplete data.
Request erasure of their data (“right to be forgotten”) in certain circumstances.
Restrict or object to processing in certain circumstances.
Withdraw consent for data processing (in certain circumstances where applicable).
File complaints regarding data handling.

Requests should be submitted to dataprotection@2sfg.com

10. Breaches

2SFG takes compliance with this policy very seriously. Failure to comply puts both colleagues and 2SFG at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.

Colleagues with any questions or concerns about anything in this policy should not hesitate to contact the Legal Team.

11. Policy Details

This policy will be reviewed and amended periodically to ensure it reflects current best practices and legal requirements and meets 2SFG’s requirements. Any changes or updates to this policy will be communicated to all colleagues and will take effect from the date of publication.

If you have any questions on the interpretation of this policy, please contact compliance@2sfg.com

Current Version v.1 Created July 2025 Last Review September 2025 Owner Group Legal

Appendix 1

Personnel records

Data Category	Retention Period	Reason for Retention
Rejected job applicant records, including: contact details ▪ application letters or forms ▪ CVs ▪ references ▪ certificates of good conduct ▪ interview notes ▪ assessment and psychological test results	Three months after applicant is notified of rejection	Equality Act 2010, s 123
Application records of successful candidates, including: ▪ application letters or forms ▪ copies of academic and other training received ▪ references ▪ correspondence concerning employment ▪ CVs ▪ interview notes and evaluation forms ▪ assessment and psychological test papers and results	Six years after employment ceases	Limitation Act 1980, s 5
Employment contracts, including: ▪ personnel and training records ▪ written particulars of employment ▪ changes to terms and conditions	Six years after employment ceases (13 years if executed as a deed)	Limitation Act 1980, s 5, 8
Employee performance and appraisal records, including: ▪ probationary period reviews ▪ review meeting and assessment interviews appraisals and evaluations ▪ promotions and demotions	Six years after employment ceases	Limitation Act 1980, s 5
Disciplinary and grievance records	Six years after employment ceases	Limitation Act 1980, s 5
Records of holiday and holiday pay	Three years after end of leave year	Working Time Regulations 1998; Employment Rights Act 1996
Redundancy records	Six years from date of redundancy	Limitation Act 1980, s 5
Records of maternity and family-related leave	Three years after end of each tax year	Statutory Maternity Pay Regulations 1986
Sickness records	Four years after end of each tax year	Statutory Sick Pay Regulations 1982
Records of return to work meetings following sickness, maternity etc	Six years after end of each tax year	Limitation Act 1980, s 5
Personal information collected for equality and diversity monitoring purposes	Delete once anonymised statistics are produced	ICO guidance
Information on health conditions, disabilities and caring responsibilities, eg to provide additional support, reasonable adjustments or carer’s passports	Six years after employment ceases	Limitation Act 1980, s 5
Employee’s emergency contact details, previous addresses or death in service beneficiary details	Immediately after employment ceases	Business need
Records for the purposes of tax returns including wage or salary records, records of overtime, bonuses and expenses	Six years	Taxes Management Act 1970; Finance Act 1998
Pay As You Earn (PAYE) records, including: ▪ wage sheets ▪ deductions working sheets ▪ calculations of the PAYE income of employees and relevant payments to them, the deduction of tax from, or accounting for tax in respect of, such payments ▪ all documents relating to any information which an employer is required to provide to HMRC under Form P11D (benefits in kind)	Three years after end of tax year	Income Tax (PAYE) Regulations 2003
Records demonstrating compliance with national minimum wage requirements, including hours worked	Six years	National Minimum Wage Act 1998; Regulations 2015
Employee income tax and National Insurance returns and associated HMRC correspondence	Three years after end of tax year	Income Tax (PAYE) Regulations 2003
Statutory sick pay (SSP) records	Three years after end of tax year	SSP Regulations 1982
Wage or salary records (including overtime, bonuses and expenses) and payments to consultants and independent contractors	Six years after relevant tax period	Taxes Management Act 1970
Records, calculations, certificates or other evidence relating to statutory maternity and other family leave-related pay	Three years after end of tax year	Statutory Maternity Pay Regulations 1986

Health and safety records

Data Category	Retention Period	Reason for Retention
Records of reportable injuries, diseases or dangerous occurrences ▪ reportable incidents ▪ reportable diagnoses ▪ injury arising out of accident at work (including accident books)	Three years from date of the entry	The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR 2013), reg 12
Records of monitoring of exposures to hazardous substances (where exposure monitoring is required under COSHH)	Five years from the date of the last entry	COSHH 2002, reg 10(5)
Records of tests and examinations of control systems and protective equipment under COSHH	Five years from the date the record was made	COSHH 2002, reg 9

Company and finance records

Data Category	Retention Period	Reason for Retention
Accounting records	3 years from the date on which the record was made (6 years for Boparan Finance plc)	Companies Act 2006, s 386 and 388
Records of all proceedings at directors’ meetings	10 years from the date of the meeting	Companies Act 2006, s 248

Security records

Data Category	Retention Period	Reason for Retention
CCTV Footage – standard	Up to 30 days from date of recording	Business and security
CCTV Footage – where investigation is ongoing	Six years from closure of the investigation	Evidential
Building access records	Three months from date of the record	Evidential and security

Customer records

Data Category	Retention Period	Reason for Retention
Customers’ account details	6 years from the end of relationship with customer	Evidential and Business
Sales analysis records	5 years from the date of the earliest record being analysed	Business
Customer complaints	6 years from the end of relationship with customer	Evidential and Business

Legal records

Data Category	Retention Period	Reason for Retention
Simple Contracts	Life of Agreement plus 6 years	Limitation Act 1980
Deeds	Life of Agreement plus 12 years	Limitation Act 1980
Leases	Life of Agreement plus 15 years	Limitation Act 1980
Claims made by employees	6 years from termination of employment	Limitation Act 1980