GDPR Data Retention Policy
1. Policy Statement
1.1. Everyone has rights with regards to the way in which their personal data is handled. During the course of our business activities we will collect, store and process personal data about our business contacts, contractors, contractor’s employees, suppliers, customers, employees and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
1.2. It is essential that personal data is used, stored and disposed of in a manner that complies with our legal and regulatory requirements.
1.3. All staff are obliged to comply with this policy in relation to data retention and disposal. Any breach of this policy may result in disciplinary action.
2. About this policy
2.1. This policy sets out the basis on which we will retain and dispose of personal data.
2.2. The Data Protection Compliance Manager is responsible for ensuring compliance with the Regulations and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager via [email protected].
3.1. We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or obsolete data.
3.2. We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems all data which is no longer required.
3.3. We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
3.4. We will retain the data held by us in accordance with the retention policy which you can refer to at Appendix 1. All staff should ensure that they periodically:
3.4.1. Delete emails and other documents containing personal data where the personal data is no longer required and / or where it has been uploaded to Avetta’s IT systems;
3.4.2. Delete emails and other documents containing personal data where the personal data is no longer required and / or where it has been uploaded to Avetta’s IT systems;
3.4.3. When delete or disposing any personal data, staff must:
188.8.131.52. Paper documents containing personal data should be shredded as confidential waste; and
184.108.40.206. Digital storage devices should be physically destroyed when they are no longer required.
4. Data Breaches
4.1. Breach. A personal data breach includes both confirmed and suspected incidents. An incident includes a breach of security leading to the accidental, or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4.2. Examples of a breach. A personal data breach includes for example, accidentally releasing an email to an unintended recipient which contains personal data relating to another individual.
4.3. Internal reporting a breach. Any individual who accesses, uses or manages Avetta’s information is responsible for reporting a data breach and information security incidents immediately to their line manager and the Data Protection Compliance Manager as soon as is practicable following the data breach.
4.4. External reporting of a breach. The Data Protection Compliance Manager shall undertake external reporting where appropriate. He or she shall consider whether:
4.4.1. any notifications are required under any contracts or in accordance with any laws. This includes notifying the Data controller of the personal data concerned where we are acting as the Data processor;
4.4.2. whether the data subject(s) concerned should be alerted of the data breach;
4.4.3. where the Data Protection Compliance Manager considers that the data subject(s) should be informed of the breach, he or she shall notify the data subject without undue delay;
4.4.4. whether the Information Commissioner’s Office (or other supervisory authority) should be notified of the breach and where it should, ensure that it is notified without undue delay and where feasible, within 72 hours of us becoming aware of the breach;
4.4.5. whether any other third parties should be notified of the data breach.
4.5. Data Protection Compliance Manager Duties. Where a data breach occurs, the Data Protection Compliance Manager shall carry out the following additional tasks:
4.5.1. Ensure that he or she has carried out containment and recovery tasks. This includes determining what steps should be taken to minimise the effect of the breach
4.5.2. Ensure that he or she investigates the breach concerned and carry out a risk assessment. This will include determining the potential adverse consequences for the individual(s) concerned and the circumstances surrounding the data breach; and
4.5.3. Ensure that he or she takes steps are taken to evaluate the process post-breach and provide Avetta with any recommendations as necessary.
5. Data subject's rights
5.1. We will process all personal data in line with data subjects' rights, in particular their right to:
5.1.1. Request information on what personal data we hold about them and provide access to it.
5.1.2. Prevent the processing of their data for direct-marketing purposes.
5.1.3. Ask to have inaccurate data amended, erase data we hold about them or restrict the types of process we carry out in respect of that data.
5.1.4. Request we provide the personal data we hold about them in order they can use it for their own purposes across other services.
If the data subjects exercise any of their above rights, before doing anything, please contact the Data Protection Compliance Manager whose details are set out in clause 2.2 immediately in order they can assist you with how to proceed.
When receiving enquiries, we must not disclose personal data we hold on our systems unless we have checked the enquirer’s identity to make sure that information is only given to a person who is entitled to it.
Employees should not be coerced into taking action in relation to a data subjects’ personal information under any circumstances without being sure it is appropriate to do so as this in itself could result in a breach of the applicable legislation.
6. Right to complain
6.1. We will make data subjects aware of their right to make a complaint if they wish to do so. The organisation with oversight of our processing is the Information Commissioner’s Office, which can be contacted in writing at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by telephone (0303 123 1113) or by e-mail ( [email protected])
7. Changes to this policy
7.1. We reserve the right to change this policy at any time.
Data Retention Periods
|Nature of Personal Data||Retention Period|
|Data relating to unsuccessful job applicants|| months following the application process|
|Personnel and training records|| years after the employee exits|
|Particulars and contracts of employment and changes to terms and conditions|| years after the employee exits|
|Consents for processing personal and sensitive data||Up to 6 years after the last processing of that data|
|Annual leave records|| years|
|Payroll and wage records|| years from the financial year-end in which payments were made|
|PAYE records|| years after exit|
|Maternity records|| years after the end of the tax year in which the maternity pay period ends|
|Bank details of employees||Delete after last wage payment in accordance with exit.|
|DBS checks||To be deleted once no longer required|
|Immigration checks|| years after exit|
|Disciplinary, grievances and appraisal records|| years after exit|
|Business contact information|| years after last contact|
|Personal data on our product suite such as prequalification information, health, safety, and environmental information, company information, public and private records, including safety logs, citations, and other regulatory data, certificates of insurance, insurance coverage information, and safety manuals.||To be deleted once no longer required|