91622, 10.05 PM This content matches your MGS Profile. Enterprise Records Management (MIP-15) MARRIOTT INTERNATIONAL POLICY (MIP) REVISED: MAY 25, 2021 Enterprise Records Management (MIP-15)- Ml Standards. REVIEWED: OCTOBER 01 2020 Region & Brand Applicability Table BRAND NAME ‘Above Property AC Hotels Aloft Hotels ‘Autograph Collection Autograph Collection - All Inclusive ‘Autograph Collection Residences Bulgari Bulgari Residences Courtyard Delta Hotels Delta Hotels - All-Inclusive Design Hotels EDITION Hotels EDITION Residences Element Hotels Fairfield Four Points htps:imgscloud mariol.comlslandards7id=1834 AP EUR MEA wn91622, 10.05 PM Gaylord Hotels v Headquarters v JW Marriott v JW Marriott - All-Inclusive v JW Marriott Residences v Le Meridien v Le Meridien Residences v Marriott Executive Apartments v Marriott Hotels v Marriott Hotels - All-inclusive v Marriott Residences v BRAND NAME. uS/ CAN Marriott Vacations Club v MOXY Hotels v Protea Hotels by Marriott v Renaissance Hotels v Residence Inn v Ritz-Carlton Reserve v Sheraton Hotels v Sheraton Residences v SpringHill Suites v St. Regis Hotels v St. Regis Residences v The Luxury Collection v The Luxury Collection - All- v Inclusive The Luxury Collection v htps:imgscloud mariol.comlstandards7id=1834 Enterprise Records Management (MIP-15) - Ml Standards v v CALA v v AP. EUR 4 886 6 MEA 4 886 ‘ ant91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, Residences The Ritz-Carlton v The Ritz-Carlton - All-Inclusive v The Ritz-Carlton Club v ‘The Ritz-Carlton Residences v The Ritz-Carlton Yacht Collection ¥ TownePlace Suites v Tribute Portfolio v Tribute Portfolio - All-inclusive v W Hotels v W Hotels - All-Inclusive v W Residences v Westin Hotels v Westin Hotels - All-Inclusive v Westin Residences v v ¥ ¥ v v v v v v v v v v v ¥ v v v v v v v v v v v v v v ¥ v v v v v v v v v v v v ¥ ¥ v v v v v v v v v APPLIES TO: Architecture & Construction, Communications, Engineering, Event Management, Finance & Accounting, Fitness & Recreation, Food & Beverage, Front Office, Furniture, Fixtures & Equipment, Golf, Housekeeping, Human Resources, Legal, Information Protection, , Purchasing, Quality Assurance & Guest Satisfaction, Residential Operations, Retail, Risk Management & Loss Prevention, Sales, Marketing & Revenue Management, Spa, Technology Requirements Applicabilty: Associates at al brands, all regions Key Responsibilities Section ” Policy Owner: (unless otherwise stipulated, is responsible for policy administration, compliance monitoring, implementation, and training) Senior Vice President, Associate General Counsel (Michael Martinez) Policy Approver: (unless otherwise htps:imgscloud mariol.comstandards7id=1834 Executive Vice President, General Counsel (Rena Reiss) ant91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, stipulated, is responsible for approval of exceptions) + Chief Audit Executive (CAE) and Global Internal Audit Function have oversight responsiblity for the facilitation of policy updates. 1. Policy Overview Marriott International, inc. (Marriott or the Company) has established an Enterprise Records Management (ERM) Policy to responsibly manage its Records, which are categorized as: + Company Records: Records that are or were valuable to or necessary for Marriott's conduct of business operations, including the Personal Data of customers, associates, and business partners as defined by MIP-91 + Transitory Records: Records generated during day-to-day business operations which have no business or legal value to Marriott beyond a short period of time (e.g., an email setting up a meeting time). + Non-Business Records: Records of a non-business or personal nature. As it relates to all Records (j,e., Company, Transitory, and Non-Business), Marriott seeks to ensure that: + Marriott appropriately manages the cost and risk associated with the storage of Records. + Records are appropriately retained pursuant to any Litigation Hold Directive. + Associates understand fully that all Records are governed by this Policy and remain subject to other relevant Marriott policies, As it relates to Company Records, Marriott seeks to ensure that: + All Company Records are retained for at least the minimum period specified by applicable laws and regulations, and no longer than needed for legitimate business purposes. For example, Company Records informing business decisions and fulfilling the Company's obligations to customers, guests, business partners, regulators, associates, investors, auditors, and vendors are maintained for their useful life and destroyed thereafter. This Policy applies to: + All Records including, without limitation, those that are stored in hard copy, on computers, shared and local area networks, film or electronic storage media (i.e. CDs, DVDs, portable and handheld devices). + All Records generated, received, or maintained in the operation of Marriott's business, irrespective of where they are stored (e.g., on Mariott premises, in offsite/remote facilities). + All Marriott associates and all individuals and entities acting on behalf of Marriott and that have access to, or use of, Records for a reason affecting or relating to Marriott's business. + All Records held by a third party if Marriott has access to and control over those Records, 2. Policy htpsimgscloud mariol.comslandards7id=1834 ant91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, Itis the policy of Marriott to retain Records of continuing usefulness which preserve corporate history and satisfy all legal, accounting, and tax requirements. Records are to be retained for at least the minimum period specified by applicable laws and regulations and no longer than needed for legitimate business purposes. 3. Requirements 3.4 Company Records Itis the policy of Marriott to securely destroy Company Records at the end of their specified retention period. This policy includes the Records Retention Schedule Instructions, the Records Retention Schedule, the Maintenance, Retrieval, and Destruction of Records, and the Customer Data Retention Schedule (Appendices A, B, C, and E respectively), The Records Retention Schedule assigns official ownership for each Company Record to a Business Discipline (i.e., Finance & Accounting, Law, Consumer Operations) and establishes, for each record type, a retention period at the end of which Records must be destroyed. 3.2 Transitory and Non-Business Records Although Marriott does not prohibit the creation or storage of Non-Business Records, associates should make efforts to keep these activities to 2 minimum. Associates should anticipate that Marriott has the right to access and review these Records periodically without notice. Non-Business Records and Transitory Records should not be retained beyond their useful life. They should be removed from Marriott systems and hardware on a routine basis. 3.3 Legal Compliance 3.3.1 Local Laws and Regulations Record retention must comply with all applicable local laws as well as Marriott standards with the stronger regulation overwriting the other. Record retention periods listed in the schedule are the minimum; retention may be longer based on local laws, or where the statute of limitations has been waived due to a current or pending local tax audit. In any event, Records should not be kept any longer than necessary without a legitimate business interest. Associates noting discrepancies wherein a jurisdiction recommends a more conservative retention than indicated on the schedule have an obligation to report this to the Law Department. 3.3.2 Litigation Hold Directives Marriott has a legal obligation to retain Records that are relevant to pending or reasonably anticipated legal proceedings Consequently, the Law Department will institute a litigation hold and issue a Litigation Hold Directive when it becomes aware of actual or reasonably anticipated litigation. When the Law Department issues a Litigation Hold Directive, affected associates must carefully follow the direction of the Law Department with regard to that Litigation Hold Directive. In such circumstances, associates must immediately suspend the destruction of any Records relating to that Litigation Hold Directive. Any associate who reasonably anticipates that litigation or a governmental investigation will occur, even if not formally commenced, and who has not received a Litigation Hold Directive should contact the Law Department immediately. Pending such discussions, the associate should preserve all relevant materials, htpsimgscloud mariol.comslandards7id=1834 sit91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, 3.4 Email Auto-Purge The Email Auto-Purge requirement establishes the default retention period for email retained on online mail servers. This policy applies to all: + All Marriott email users + All Marriott email systems + All email sent or received using Marriott email and systems 3.4.1 Default Retention Period: Marriott systems will be configured to automatically purge all messages located in Outlook inbox, drafts, sent items, deleted, notes, and junk older than one year. Marriott's policy will exclude contacts, tasks and calendar items from being deleted. At the discretion of the Law Dept., retention time periods may be extended as necessary or appropriate. 3.4.2 Destruction Frequency: Email will be purged on a daily basis from all online mail servers (i.e., any email older than the current date 1 year will be destroyed nightly). 3.4.3 Email as a Company Record When the contents of an email classify it as a Company Record, the email should be retained by the official owner of the record in accordance with the associated retention period as dictated by the Records Retention Schedule (see Appendices A, B, and C) and saved in a manner to preserve the record. The burden of determining whether a specific. message is a Company Record should fall to each individual. Convenience copy recipients should not retain messages longer than required for their respective jobs. When that need no longer exists, the information should be destroyed. Questions about the proper classification of a specific message should be directed to the associate's department head or the business discipline. 3.4.4, Litigation Hold Directive A litigation hold directive from the Law Department supersedes this email auto-purge requirement. Email and accounts for associates who have been placed on litigation hold are managed by Global Information Resources until the hold is released, 3.5 Maintenance, Retrieval, and Destruction of Records 3.5.1 Maintenance of Records Records (i.e., Company Records, Non-Business Records, and Transitory Records) shall be maintained in a safe, secure environment that is appropriate for each Record's use and classification in compliance with appropriate MIPs. Associates should use electronic information systems that maintain appropriate controls when creating or obtaining Records and that will support them in the context of business purpose or the activity performed. Records should be maintained in an accessible environment such that they can be retrieved, without undue burden, for the length of time required by the Records Retention Schedule regardless of operating systems, software, or media changes over time, 3.5.2 Retrieval of Records All Records retrieved from an offsite Marriott storage facility should be retained in the business area for no longer than htpsimgscloud mariol.comslandards7id=1834 ett91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, thirty (30) days (and subsequently retuned to the storage facility) unless senior management receives written authorization from the Law Department to retain the Records for a longer period of time. Limiting the duration of retention for retrieved Records to thirty (30) days will prevent Records from being damaged, destroyed, lost or misfiled. 3.5.3 Destruction of Records When the retention period ends and if no Litigation Hold Directive is in effect, Records should be disposed of or eliminated from all storage media, including personal computers, databases, sharedinetwork drives, fle cabinets, off-site storage, magnetic media, and backup tapes, Records should be disposed of by a method (e.g., shredding, recycling, purging) appropriate to the content and level of confidentiality of the records in accordance with Marriott's Global Information Security Policy (MIP-29), Storing Records beyond the retention periods set forth in this Policy costs Marriott storage fees, prevents the efficient retrieval and accessibility of necessary Records, creates risk, and hinders the consistent application of this Policy. Therefore, exceptions to this Policy will be granted only in specific circumstances based on ongoing business needs or legal requirements and must be explicitly approved by the Law Department. 4, Roles & Responsibilities 4.1 Law Department The Law Department shall: + Dosign the ERM Policy and designate a Law Department associate to oversee its implementation, + Oversee the creation of, and subsequent modifications to, the Records Retention Schedule Instructions and Records Retention Schedule. + Address any policy-related questions related to the Email Auto-Purge Policy. 4.2 Global Information Technology Department The Global IT Department shall work in coordination with the Law Department to support the design, implementation, and function of this Policy. Specifically, Global IT will oversee the technical implementation of the email auto-purge. 4.3 Business Disciplines Marriott's business disciplines shall be responsible for implementing the policy, identifying any necessary modifications of the program specific to their operations, and coordinating with the Law Department to update the Policy or Records Retention Schedule with any changes. The Business Disciplines will review the retention schedule every two years to confirm the accuracy therein 4.4 Associates All Marriott associates will be responsible for complying with this Policy. A subset of associates may be responsible for periodically certifying their departments have made their best efforts to comply with the Policy. 5. Definitions htpsimgscloud mariol.comslandards7id=1834 mt91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, Active Records: Records that are currently used to conduct day-to-day business operations (e.g., a three-year strategy against which a business discipline is executing, a project plan for a project that will be completed in six months). Company Record: fecords that are or were necessary to satisfy the needs of everyday business operations, legal and regulatory requirements, fiscal responsibilities, and historical needs; records that are or were valuable to, or necessary for, Marriott operations and are the property of Marriott International including the Personal Data of customers, Associates and business partners as defined by MIP-91 Final Records: Final versions of Company Records, ui n Hold cctive: The Litigation Hold Directive issued by the Law Department when it becomes aware of actual or reasonably anticipated litigation. Non-Business Records: Records of a non-business or personal nature created or maintained by an associate for his or her own purposes relating to activities or issues not relevant to the course of doing business (e.g., e-mail to a friend to meet for coffee). Records: All documented information generated or received by associates or third parties who handle Marriott information, or any individual or entity acting on behalf of Marriott Records include, but are not limited to: reports, letters, memoranda, e-mail, facsimiles, graphics, data, audits, expense reports, meeting minutes, handwritten notes, calendars, agendas, outlines, timelines, summaries, presentations, research materials, plot diagrams, charts, photographs, bound record books, publications, manuscripts, drawings, statistical analyses, research materials, cards, maps, computer printouts, audio and video media, micrographics and electronic media such as disks, diskettes, tapes, optical disks, CD-ROM, grading reports and voice recordings. Records do not include library books, periodicals, copies of reports, blank forms, or stationery. Records are further categorized into Company Records, Non-Business Records, and Transitory Records, | Scope of Recor Retention Schedule | Key htpsimgscloud mariol.comslandards7id=1834 att91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, Transitory Records: Records generated during day-to-day business operations which have no business or legal value to Marriott beyond a short period of time (e.g., an e-mail setting a meeting time). Works-In-Progress and Draft Records: Records including drafts, project materials, research results, or reference information used in the development of a Company Record. Drafts are defined as preliminary, preparatory or tentative versions of all or part of a record, whether or not such draft was superseded by a later draft and whether or not the terms of the draft are the same as or different from the terms of the final record 6. Policy Compliance This Policy must be complied with in accordance with all Marriott International Policies, including but not limited to: + Marriott's Ethical Conduct Policy (MIP-1) + Global Information Security Policy (MIP-29) + Business Continuity (MIP-30) + Mobile Devices (MIP-46) + Global Privacy Policy (MIP-91) Managers and supervisors must ensure that the Policy is enforced through appropriate disciplinary measures, Any associate in violation of a provision of this Policy shall be subject to discipline, up to and including termination. 7. Compliance Monitoring Compliance with this poliey is monitored using existing processes as described above and through the MIP-01 Annual Ethical Conduct Survey. 8. Documents Associated with this Policy Records Retention Schedule Instructions (Appendix A) (DOC) Records Retention Schedule (Appendix B) (XLS) Records Retention Schedule for All US locations including HQ and properties (Schedule 1 - Appendix B) (XLS) Maintenance, Retrieval, and Destruction of Records (Appendix C) (DOC) Microsoft Skype Conversation History and Microsoft Teams Chats - Retention Period Extension (Appendix D) (DOC) Customer Data Retention Schedule (Appendix E) (XLS) Ethical Conduct (MIP-01) Electroni¢ Communications (MIP-28) Global Information Security Policy (MIP-29) Business Continuity (MIP-30) EFFECTIVE: JANUARY 13, 2012 | PUBLISHED: MAY 04, 2011 htpsimgscloud mariol.comslandards7id=1834 ort91622, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, Irthis documents older than December 15, 2022, vist Meritt Global Source to ensure you have the mosl up-to-date version of this standard, MARRIOTT CONFIDENTIAL AND PROPRIETARY INFORMATION ‘The contents of his matetial ara confidential and propretary to Marriot! Intemational, Inc. and may not be reproduced, disclosed, distributed or used without te express permission ofan authorized representative of Marriot. Any olher use is expressly prohibit. htpsimgscloud mariol.comslandards7id=1834 ont9118722, 10.05 PM Enterprise Records Management (MIP-15) - Ml Standards, hitpsimgscloud mariolt.comstandards7i at