Introduction
This data retention policy sets out the obligations of Denny Ellison Enterprises Limited (“we”, “our”, “us”) and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control. This policy applies to our entire company and all of its officers, employees, agents, consultants and sub-contractors and sets out what the retention periods are and when any such data may be deleted.
We are registered under the Information Commissioner’s Office under registration number: Z2358970
Objectives
It is necessary to retain and process certain information to enable our business to operate. We may store data in the following places:
- our own servers
- any third-party servers
- potential email accounts
- desktops
- employee-owned devices
- potential backup storage
- our paper files
This policy applies equally to paper, electronic media and any other methods used to store personal data. The period of retention only commences when the record is closed. We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible.
Retention Policy
Data retention is defined as the retention of data for a specific period of time and for back up purposes. We shall not keep any personal data longer than necessary but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. Our specific data retention periods are set out in the table below.
Type of data subject |
Type of data |
Type of processing |
Purpose of processing |
Retention period |
|---|---|---|---|---|
| Employees, consultants, contractors | First name, last name, email address, telephone number, address, company information, bank details, date of birth, recruitment information, employment record | Stored on management devices, email services, company server, paper files | Contractual agreement | 6 years after contract termination |
| Clients | First name, last name, email address, telephone number, company address, company information, bank details | Stored on management devices, email services, company server, paper files | Contractual agreement with company/employer | 6 years after contract termination |
| Prospective clients | First name, last name, email address, telephone number, company address, company information | Stored on management or consultant devices, email services, company server, paper files | Marketing | Inactive for 10 years* |
| Suppliers | First name, last name, email address, telephone number, company address, company information, bank details | Stored on management devices, email services, company server, paper files | Contractual agreement or ongoing working relationship | 6 years after contract termination or inactive for 6 years* |
| Company contacts for research reports | First name, last name, email address, telephone number, company address, company information | Stored on management or consultant devices, email services, company server, paper files | Creation of research reports | Inactive for 10 years* |
| Industry contacts | First name, last name, email address, telephone number, company address, company information | Stored on management or consultant devices, email services, company server, paper files | Business development | Inactive for 10 years* |
* Inactive means that there has been no interaction (by email, telephone, in person, by mail, etc.). In some circumstances, it may be necessary to retain or access historic personal data, such as if we have become involved in unforeseen events like litigation or business disaster.
Destruction and Disposal
Upon expiry of our retention periods, we shall delete confidential or sensitive records, and we shall either delete or anonymise other personal data.
Our Data Privacy Manager is responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction if needed.