Blauersee

Data Retention Plan

Plan de Retención de Datos de Blauersee

Data Retention Plan

 
 
 

1. Introduction Blauersee is a benchmark firm in the field of legal and consulting services, committed to the highest standards of personal data protection and client privacy. Aware of the importance of ensuring the confidentiality, integrity, and availability of the information it processes, Blauersee establishes this Data Retention Plan to guarantee the proper management of personal data collected in the course of its professional activities, in accordance with applicable legislation.

This document is based on the strict observance of the General Data Protection Regulation (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), as well as other applicable sectoral regulations. In addition, Blauersee reaffirms its commitment to respecting fundamental rights and to the professional duty of secrecy inherent to the provision of legal services.

2. Scope of Application This Plan applies to all personal data processing operations carried out by Blauersee, including, but not limited to, data relating to clients, employees, suppliers, counterparties, and third parties connected to its professional activities. Such operations include the collection, storage, use, communication, retention, and deletion of personal data.

3. Guiding Principles In processing personal data, Blauersee undertakes to observe the following principles:

  • Storage Limitation: Data shall be retained solely for the period necessary to fulfil the purposes for which it was collected.
  • Integrity and Confidentiality: Appropriate technical and organisational measures shall be implemented to protect data against unauthorised access, loss, or alteration.
  • Transparency: Blauersee shall inform data subjects of the applicable retention periods and the criteria used to determine them.

4. Retention Periods

Type of Data Retention Period Legal Basis
Client files 5 years from the end of the service provided to that client Art. 1964 Spanish Civil Code
Tax and accounting documents 6 years from the end of the fiscal year Art. 30 Spanish Commercial Code
Employment and employee data 4 years after termination of the employment relationship Art. 21 Workers’ Statute
Supplier data 6 years from the termination of the contractual relationship Art. 30 Spanish Commercial Code
Electronic communications 4 years from the end of the client relationship, or a maximum of 5 years Art. 20 LSSI
Data collected under the Anti-Money Laundering and Counter-Terrorist Financing Act 10 years from the termination of the professional relationship with the client Art. 25 Law 10/2010

5. Retention of Contractual Documentation Contracts executed by Blauersee may be retained for the duration of their validity and, additionally, for five (5) years following their termination, unless a longer period is required by applicable legislation or for the defence of potential legal claims.

6. Retention of Legal Notes and Memoranda Blauersee may retain legal notes or memoranda indefinitely for purposes of knowledge preservation and internal training. However, once the legally required retention periods have expired, any personal data contained in such documents must be anonymised through automated or manual procedures.

7. Procedure for Data Deletion

  • Identification of data to be deleted: The Data Protection Officer (DPO) shall conduct annual reviews to identify data whose retention period has expired.
  • Secure deletion: Physical documents shall be destroyed using certified procedures (e.g., shredding), and digital data shall be deleted in an irrecoverable manner.
  • Deletion record: A detailed record of each deletion shall be maintained, specifying the date, type of data, and method used.

8. Responsibilities Responsibility for compliance with this Plan rests with:

  • Data Controller: Ensuring the effective implementation of the measures described herein.
  • Data Protection Officer (DPO): Supervising and ensuring compliance with regulations on data retention and deletion.

9. Data Subject Rights Data subjects may exercise their rights of access, rectification, erasure, objection, restriction of processing, and data portability, in accordance with the GDPR and the LOPDGDD. Blauersee shall respond to such requests within a maximum period of 30 days.

10. Review and Update of the Plan This document shall be reviewed periodically, at least once a year, or whenever there are significant changes in the applicable legislation or in Blauersee’s data processing activities.

11. Entry into Force This Data Retention Plan shall enter into force on the date of its approval and shall be binding on all members of Blauersee.

12. Additional Note The foregoing provisions are without prejudice to the professional duty of secrecy that Blauersee assumes in the provision of legal services, always ensuring the strictest confidentiality and protection of the information processed.

Last review: December 2024.