For the retention policy in the toolkit that is set to mandatory, can we change it to only apply to the retention period of personal information? Also the retention period for all this information is listed in the Inventory, will this be sufficient enough? Chapter 3.5 about routine disposal schedule, is it mandatory to keep this in the policy?
The retention policy in the toolkit is meant to refer only to records containing personal data and is consistent with the requirements of EU GDPR article 5.1.(e) – “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ namely personal data cannot be kept for longer than is necessary for the purposes for which the personal data are processed.
The retention periods in the Inventory of processing activities is consistent with the requirements of EU GDPR article 30 – “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ My suggestion is to have the i nformation about retention periods in your Data Retention Policy ( Annex - Data Retention Schedule) since this policy will most likely be available to all employees as opposed to the Inventory of processing activity which is usually handled by the DPO or data protection responsible.