Data Retention Policy

  1. Introduction

This Policy sets out the obligations of Summerill & Bishop Ltd. regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.

Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).

In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:

a) Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
b) When the data subject withdraws their consent;
c) When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
d) When the personal data is processed unlawfully (i.e. in breach of the GDPR);
e) When the personal data has to be erased to comply with a legal obligation; or
f) Where the personal data is processed for the provision of information society services to a child.

This Policy and the Retention Schedule sets out the type(s) of personal data held by the Company, the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

2.  Aims and Objectives

2.1 The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.

2.2 In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.

3.  Scope

3.1 This Policy applies to all personal data held by the Company and by third-party data processors processing personal data on the Company’s behalf.

3.2 Personal data, as held by the Company is stored in the following ways and in the following locations:

a) The Company’s servers, hosted on Microsoft Azure located within the EEA.

b) Third-party servers, operated by Lightspeed, Shopify Inc. & Mailchimp, located in the EEA and the United States. For processors in the United States we ensure a similar degree of protection is afforded to it - for further details see our Privacy Policy ‘Safeguards’

c) Computers permanently located in the Company’s premises at Head Office or at 100 Portland Road or 58 Elizabeth Street, London;

d) Laptop computers provided by the Company to its employees;

e) Physical records stored in Head Office, 100 Portland Road or 58 Elizabeth Street, London

4.  Data Disposal

Upon the expiry of the data retention periods set out below in the Retention Schedule, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:

4.1 Personal data stored electronically including any and all backups thereof shall be deleted securely;

4.2 Personal data stored in hardcopy form shall be securely shredded;

5.  Data Retention

5.1 As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

5.2 Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.

5.3 When establishing and/or reviewing retention periods, the following shall be taken into account:

a) The objectives and requirements of the Company;

b) The type of personal data in question;

c) The purpose(s) for which the data in question is collected, held, and processed;

d) The Company’s legal basis for collecting, holding, and processing that data;

e) The category or categories of data subject to whom the data relates;


5.4 If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.

5.5 Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).

5.6 In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.

             Type of Data

Purpose of Data

 

Retention Period or Criteria

Medium and Disposal

CLIENT DATA

 

 

 

Client/Supplier Contact details

Customer Service, Business Operations, Marketing.

Retained whilst subject remains a customer/supplier or subject requests full deletion

 

Medium:

Lightspeed Epos, Shopify CRM, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

Mailing campaigns

Marketing

 

Until deletion requested

 

Medium:

Electronic – Mailchimp

 

Disposal Method:

Permanent Deletion

Emails

Client servicing and legal due diligence

2yrs after last action

Medium:

Electronic

 

Disposal Method:

Permanent deletion

 

Purchase history

Financial recording

 

7yrs from Financial Year End

Medium:

Lightspeed Epos, Shopify CRM, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

CCTV images

Security

30 days

Medium:

Electronic – hard disk and cloud

Disposal Method:

Automatically overidden

Enquiry Forms

Customer Service

2yrs after last action

Medium:

Electronic, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

FINANCE

 

 

 

Purchase orders

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

Invoice - Capital expenditure

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

Invoices

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

Company credit card transaction receipts

Financial recording/regulations

7yrs from Financial Year End

Medium:

Paper.

 

Disposal Method:

Shredded via shredders.

 

Customer accounts/credit card receipts

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic, Email, Paper.

 

Disposal Method:

Permanently delete emails, shred paper via shredders and other electronic forms to be deleted.

 

Audit reports of external auditors

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic and Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Financial reports

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic and Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Bank statements

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Employee payroll records

Financial recording/regulations/HR

7yrs from Financial Year End

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

VAT returns

Financial recording/regulations

7yrs from Financial Year End

Medium:

Electronic

 

Disposal Method:

Deletion

 

HR

 

 

 

Employee bank details

Processing payroll

Until Employment ends

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Employee Contracts

Legal due diligence

6yrs from end of employment

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Pension scheme records

HR best practice

12yrs from the end of any benefit payable under the policy

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

 

Senior Management records

 

Historical records

 

Indefinitely

N/A

Personnel records/file

HR management and compliance

6yrs from end of employment

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Safety records

 

Health & Safety – legal compliance

 

6yrs from year end

Medium:

Paper.

 

Disposal Method:

Shred via shredders.

 

Employment Applications

To adhere to all discrimination Acts, (Successful applicants documents will be transferred to their personnel file - see above)

2yrs from year end

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Sick Pay Records

 

 

3yrs from end of tax year or 6 yrs from end of employment in the case of a dispute.

 

 

Medium:

Electronic.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Accident reports/book

 

Health & Safety – legal compliance

 

3yrs from date of last incident.

Medium:

Paper.

 

Disposal Method:

Shred via shredders.

 

Parental Leave

HR Compliance

5yrs from Birth/Adoption of child

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Training manuals

HR Compliance

2yrs after last update

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

COMPANY

 

 

 

Supplier Contracts

Legal and Financial recording

7yrs after contract terminated

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Policies/procedures/processes

Legal compliance

2yrs after last update

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Third-party contracts/agreements

Legal and Financial recording

7yrs after contract terminated

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Legal correspondence

Legal compliance

10 years from last action

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Copyright information

Protection of company intellectual property

50yrs from expiry

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

Insurance policies

In case of future claims

2yrs from policy expiry

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

ANALYTICAL DATA

 

 

 

Google analytics

Customer service improvements, business development

2yrs from end of campaign

Medium:

Electronic & Paper.

 

Disposal Method:

Permanent deletion and shred paper via shredders.

 

 


6.  Roles and Responsibilities

6.1 The Company’s Data Privacy Manager is Louisa Alan, email [email protected]

6.2 The Data Privacy Manager shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.

6.3 The following roles are responsible for retention of these records because they are in control of the relevant data. Each person is responsible for ensuring that all personal data is collected, retained and destroyed in line with the requirements of the GDPR.

 a) The Finance Director (FD) is responsible for retention of financial (accounting, tax) and related records.

 b) The Head of HR is responsible for retention of all HR records.

 c) The Health and Safety Officer is responsible for retention of all Health and Safety records.

d) The Data Privacy Manager is responsible for storage of data in line with this procedure.

e) The Manager/Executive (generic/line) is responsible for ensuring that retained records are included in business continuity and disaster recovery plans

 6.4 Any questions regarding this Policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Privacy Manager.

7.  Implementation of Policy

This Policy shall be deemed effective as of 18th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:

Name: Louisa Alan

Position: Operations Director

Date: 18th May 2018

Due for Review by: 17th May 2019