About This Policy
This Data Retention & Erasure Policy (External) relates specifically to Delegates, Client Contacts and Supplier Representatives (Data Subjects).
The policy is intended to ensure that BTRM Ltd and its subsidiaries, here after known as BTRM, processes its business records in accordance with the personal data protection principles, in particular that:
- Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by this policy.
- Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
- Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
- Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
The Data Protection Manager (DPM) is responsible for overseeing this policy. Any questions about the operation of this policy should be submitted to the DPM.
Location of Business Records
Our business records are mainly stored within our CRM/database, NAME. We may also store relevant information:
– On our internal network in shared folders;
– In cloud-based storage services such as OneDrive and Dropbox.
Keeping Information Up to Date
BTRM needs to ensure that our business records are kept up to date and accurate. Our employees are trained to update Data Subjects’ records whenever appropriate to ensure that (i) the data is up to date and (ii) all relevant employees are able to access and use such data for legitimate business purposes.
General Principles on Retention & Erasure
WBS Training’s approach to retaining business records is to ensure that it complies with the data protection principles referred to in this policy and, in particular, to ensure that:
- Business records are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary to be used for the purpose for which they were recorded.
- Business records are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- When records are destroyed, whether held as paper records or in electronic format, WBS Training will ensure that they are safely and permanently erased.
Standard Retention & Erasure of Business Records
- The BTRM’s standard data retention period is two years from the last date on which BTRM was in actual contact with the relevant Data Subject. If more than two years have elapsed since the WBS Training was last in contact with the Data Subject (Expiry Date), BTRM’s process is to delete the personal data relating to such Data Subject, subject to paragraph a below.
- That the usual contract limitation period is six years and BTRM could be required to defend itself against a breach of contract claim at any time during the limitation period. Certain personal data may be subject to an extended limitation period of up to twelve years in total where the relevant agreement has been executed as a Deed.
- Where the Expiry Date has passed but WBS Training is required to keep relevant data for the Legal Retention Period:
- Any personal data which is not needed for audit or legal defence purposes should be removed from the Data Subject’s record. This includes personal data which is (i) irrelevant and/or (ii) particularly confidential in nature.
- In some instances, a Data Subject’s record will not pass the Expiry Date because BTRM stays in regular contact with such Data Subject. Although the record itself shall not expire under these circumstances, BTRM shall take active steps to ensure that the personal data within the Business Record remains relevant and necessary for the purpose for which it was obtained. BTRM shall delete any documents, notes and other types of personal data which are no longer required.
Erasure/Right To Be Forgotten Requests
A Data Subject may submit a request for erasure of their details from time to time (Erasure Request) i.e. the right to be forgotten.
Upon receipt of an Erasure Request, BTRM shall first verify the identity of the Data Subject and then establish whether the Data Subject wishes (1) to be entirely deleted from BTRM’s business records or (2) to remain within the BTRM’s business records but marked as Non-Active or Do Not Contact.
(1) Erasure. If the Data Subject wishes to have their personal data erased:
- BTRM shall process such request in accordance with the Data Subject’s instructions but BTRM shall advise the Business Record that they may have no record of the Erasure Request and may therefore contact the Data Subject again upon subsequent receipt of the Data Subject’s details from a third party source e.g. a job board, CV search or LinkedIn.
- BTRM shall ensure that any (i) joint Data Controlleror (ii) third party which is processing relevant Data Subject’s data on behalf of BTRM is informed that Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request.
- BTRM shall within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request. Where BTRM has a legal right or duty to retain certain data for the Legal Retention Period set out above, BTRM shall confirm to the Data Subject in writing the steps which it has taken in respect of the Erasure Request and the extent to which any data has been retained.
- If the request is manifestly unfounded or excessive, for example, because of its repetitive character, BTRM may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
- If BTRM is not going to respond to the request, BTRM shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
(2) Do Not Contact. If the Data Subject wishes to have their record marked as Do Not Contact:
- BTRM shall establish whether the Do Not Contact request is for a limited or indefinite period. BTRM shall record the Data Subject’s decision in the relevant business record.
- Once marked as Do Not Contact, the Data Subject’s record shall then be subject to BTRM’s standard data retention procedures and may be deleted after two years or more of inactivity, subject to any legal right or duty upon BTRM to retain the data for the Legal Retention Period.