Data Retention and Disposition
Table of Contents
Document information and approval __________________________________________ 3
Introduction ___________________________________________________________ 4
Purpose and scope _______________________________________________________ 4
Reference documents _____________________________________________________ 4
Definitions ____________________________________________________________ 4
Policy statements _______________________________________________________ 6
6.1. Storage ______________________________________________________________ 6
6.2. Private data ___________________________________________________________ 6
6.3. Common retention list ____________________________________________________ 6
6.3.1. Aims ________________________________________________________________ 6
6.3.2. Scope _________________________________________________________________ 7
6.3.3. Retention Schedule _______________________________________________________ 7
6.4. Administrative retention period (ARP) __________________________________________ 7
6.4.1. Principles and rules _______________________________________________________ 7
6.4.2. Default value ___________________________________________________________ 7
6.5. Disposal of Files ________________________________________________________ 8
Awareness campaign _____________________________________________________ 8
Consultation status ______________________________________________________ 8
Data protection _________________________________________________________ 8
10. Records ______________________________________________________________ 8
11. Final provisions ________________________________________________________ 8
ESMA • CS 60747 – 103 rue de Grenelle • 75345 Paris Cedex 07 • France • Tel. +33 (0) 1 58 36 43 21 • www.esma.europa.eu
One of the bases of information security is protecting how resources are accessed so they can be protected
from unauthorised modification or disclosure. This policy defines the principles to establish and maintain
a uniform records management policy for the control, retention, storage, retrieval, and disposal of record-
ed information to comply with all statutory, regulatory, and administrative requirements.
3. Purpose and scope
The purpose of this policy is to define retention and disposition measures to all ESMA’s systems, especially
highly sensitive systems.
This policy applies to the officials, the other servants and the persons described in Article 70(1) of the
ESMA Regulation. In particular, it applies to ESMA’s employees, contractors, consultants, temporaries,
and other workers at ESMA responsible for the management of user accounts or appointed staff members
who can access to shared information or network devices. Such information can be held within a database,
application or shared file space. This policy covers departmental accounts as well as those managed cen-
4. Reference documents
• ISO IEC 27001/27002 (international standard on information security management systems);
• ISO IEC 27005 (international standard on information security risk management);
• Commission decision 2001/844/EC, ECSC, Euratom amending its internal Rules of Procedure;
• Commission decision C(2006) 3602 on Security of Information Systems;
• Implementing Rules (EN) for Commission decision C(2006) 3602;
• Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of per-
sonal data and on the free movement of such data;
• Document Management in the European Commission - Collected Decisions and Implementing
The ability to use, modify or manipulate an information resource or to
gain entry to an area or location.
Process of granting or denying specific requests for obtaining and
using information. The purpose of access controls is to prevent unau-
thorised access to IT systems.
A file with current use for the division or unit that generated it. Files
remain active for varying numbers of years, depending on the purpose
for which they were created.
A file that is retained permanently for lasting historical value and is
used for research and reference by ESMA and the general public.
Protection of IT systems and data to ensure timely and reliable access
to and use of information to authorised users.
Protection of sensitive information so that it is not disclosed to unau-
thorised individuals, entities or processes.
Entity that can authorise or deny access to certain data, and is respon-
sible for its accuracy, integrity, and timeliness.
Content drawn up or received by ESMA concerning a matter relating to
the policies, activities and decisions falling within ESMA’s competence
and in the framework of its official tasks, in whatever medium (written
on paper or stored in electronic form or as a sound, visual or audio-
The core around which the documents are organised in line with ES-
MA’s activities, for reasons of proof, justification or information and to
guarantee efficiency in the work.
A file that documents ESMA’s existence through time.
Files no longer needed to conduct current ESMA’s activities and con-
sulted infrequently (less than once every year).
Principle of Least Privilege
Principle according to which, access privileges for any user should be
limited to resources absolutely essential for completion of assigned du-
ties or functions, and nothing more.
Refers to the destruction or systematic transfer to archival storage of
files no longer needed for everyday operations, or frequent reference,
or to satisfy requirements of external third parties.
Administrative Retention Period The length of time a file needs to be maintained to satisfy the purposes
for which it was created, and to fulfil legal, fiscal and administrative
requirements of ESMA and interested third parties. At the conclusion
of the Administrative Retention Period the file may be destroyed or
transferred to storage depending upon the action prescribed in the Re-
Safeguards or countermeasures to avoid, counteract or minimize
security risks relating to personal property, or any company property.
Security controls can be categorized according to their nature: Physi-
cal, Procedural, Technical or Legal and regulatory or compliance
Any person to whom this policy applies.
Files whose loss could result in significant material damage to ESMA
and that would be difficult to reconstruct if lost, stolen, or destroyed.
These include files that are essential to document ESMA’s legal, finan-
cial or regulatory position and to preserve ESMA’s ongoing operation,
commitments, and rights.
6. Policy statements
All information used on the prosecution of ESMA’s mission and activities is ESMA’s property and must be
stored on ESMA’s departmental servers.
All documents that are of private use must be stored on the user’s personal computers. E-mail users must
store all private e-mail (including e-mail sent) in a local .pst file. The administration of this file is the sole
responsibility of the users.
6.2. Private data
Users are entitled to save for their personal use any private data that may reside on their personal comput-
ers. This data can be retrieved during the period the user has a contractual relation to ESMA. After the
user ends his/her contractual relation with ESMA, any private data that may subsist in the ESMA’s com-
puter(s) and mobile device(s) used by that user, will be erased.
6.3. Common retention list
The common retention list for ESMA files (CRL) is a regulatory instrument that sets the retention period
for the different types of ESMA files. Structured as a retention schedule, it provides lists of files that are
specific to a Division / Unit, as well as administrative and common files, which are cross functional areas,
and prescribes the periods of authorised retention.
The CRL takes account of the organisational context, the existing legislation and ESMA’s legal obligations.
The aims of the common retention list are:
a) To identify the file type of each file created and held by ESMA in order to ensure that it is properly
b) To lay down the retention period for each type of file, taking into account its administrative use-
fulness for the Divisions/Units, the statutory and legal obligations and its potential historical val-
The retention period for each type of file is determined by:
• Its administrative retention period (ARP);
• The action to be taken at the end of the ARP;
• Where applicable, the action to be taken after transfer to the historical archives.
These three parameters are set for each type of file in the CRL retention schedule;
c) To establish the administrative procedures for the elimination of documents which ESMA must
apply to certain types of files;
d) To define the action to be taken by ESMA on the various types of files once the ARP has expired.
The common retention list is applied by all Divisions and Units. It applies to files irrespective of their
form: paper, electronic or hybrid.
6.3.3. Retention Schedule
All active and inactive files are to be kept for the minimum administrative retention periods listed in the
Retention Schedule. ESMA’s files identified in the Retention Schedule refer to originals, both electronic
and paper, unless otherwise stated. Copies of original files maintained for convenience are not covered by
the Retention Schedule and should not be retained when no longer useful. Notwithstanding minimum
administrative retention periods, all files must be maintained until all required audits are completed and
should be retained beyond the listed retention periods when there is a probability of litigation either
involving files or requiring their use.
Vital, Historical and Archival Files should be identified in the Retention Schedule by the Data Owners and
protected in accordance with stated retention periods.
6.4. Administrative retention period (ARP)
6.4.1. Principles and rules
Divisions and Units are required to preserve their files (on paper, in electronic or in hybrid form) during
the administrative retention periods (ARPs) laid down by the CRL. During that period files may not be
eliminated. The ARP begins to run from the date of closure of the file, which is the date when the most
recent document was added to the file.
The default administrative retention period is five years.
6.5. Disposal of Files
ESMA’s files approved for disposal that are not of a confidential or sensitive nature1 may be disposed of by
means of regularly established practices for handling recyclable paper, waste paper or magnetic / optical
All ESMA’s files approved for disposal that are of a sensitive nature may be disposed of by any method of
destruction making file recognition impossible. Determination of what constitutes sensitive files is the
responsibility of the Data Owners, according to the Data Classification Policy.
7. Awareness campaign
This policy will have publication status INTRANET (publication on Intranet available to all staff).
It will be communicated to staff in an all staff meeting and in security awareness sessions.
8. Consultation status
This policy has been sent for consultation to all Heads of Divisions/Units, the data protection officer and
the Operations Division’s team leaders prior to its approval.
9. Data protection
Any personal data identified in the information affected by this Policy shall be handled in compliance with
the requirements laid down in Regulation (EC) No 45/2001.
Originals and electronic versions of this document are filed by internal control/quality function.
11. Final provisions
This policy enters into force on 1 January 2015.
This policy will be reviewed whenever considered necessary and appropriate, and at the latest three years
following its adoption.2
1 A sensitive file is a file with a confidentiality level of ‘ESMA RESTRICTED USE’ or ‘ESMA CONFIDENTIAL USE’.
2 The policy was reviewed on 10.10.2018: no update/change.