The entity retains personal information consistent with the entity’s objectives related to privacy
Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise
Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.