Menu

DATA RETENTION POLICY

Definitions

Business relationship means the period during which DR is engaged in the performance or administration of services for a person
Client means any person who has signed up to DR’s services, regardless of whether DR submits a claim to Her Majesty’s Revenue and Customs (HMRC) on their behalf.
Data in this Policy refers to personal data, which means any information relating to a person.
Delete means the removal of all or part of a client file (including data) from DR’s databases and records and those of its relevant third-party processors.
Person is what the UK GDPR calls a “data subject”. The UK GDPR defines a data subject as “an identifiable natural person” or someone who can be identified, directly or indirectly.
People means more than one Person.
DR means Direct Redress Limited, a company registered in England whose registered office is Booths Park 5, Chelford Road, Knutsford, Cheshire, WA16 8GS

Introduction

This Policy sets out DR’s data retention obligations and policies. This Policy applies to all data (except for employee, applicant, or service provider data) dealt with by DR (and by third-parties processing data on DR’s behalf).

DR must keep data in a form which permits the identification of people for no longer than is necessary for the purposes for which DR processes the data. In certain cases, controllers of personal data may store data for longer periods (although those cases do not apply to DR).

People also have the ‘right to erasure’, also known as ‘the right to be forgotten’. People have the right to have their data erased (and to prevent the processing of that data) in the following circumstances:

  1. Where the data is no longer required for the purpose for which they were originally collected or processed.
  2. When the person withdraws their consent (if the data is held based on that person’s consent).
  3. When the person objects to the processing of their data and DR has no overriding legitimate interest or legal obligation.
  4. When the data has been processed unlawfully
  5. When DR must erase the data to comply with a legal obligation.
  6. Where the data has been processed for the provision of information society services to a child (which is not applicable to what DR does).

This Policy sets out the types of data held by DR for delivery of DR’s services, the periods for which that data is retained by DR, the criteria for establishing and reviewing such periods, and when and how data are to be deleted or otherwise disposed of.

Aims, objectives, and scope

The primary aim of this Policy is to set out clearly DR’s data retention limits so that DR is accountable and transparent. DR stores data in the following ways:

  • On servers belonging to DR (or its third-party data processors).
  • On computers (including phones) belonging to DR (or its third-party data processors).

Erasure and restriction of processing rights

DR holds all data in accordance with the requirements and rights set out by the Data Protection Act 2018, as detailed in DR’s Privacy Policy. DR keeps people fully informed of their rights, the data DR holds about them, how DR uses that data, and how long DR will hold that data. People have the right:

  1. to request that DR delete their data (notwithstanding the retention periods otherwise set out in this Policy); and
  2. to restrict DR’s use of their data.

DR will comply with erasure requests where it does not have an overriding reason, listed in this Policy, to retain the person’s data. Please note that:

  • DR has a legal obligation to retain client records for five years after the end of the business relationship with a person under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
  • DR will retain data for six years from the end of the business relationship for the establishment, exercise, or defence of legal claims related to DR’s performance of its contractual obligations. The six-year period is based on Sections 2 and 5 of the Limitation Act 1980. DR will erase the data as soon as reasonably practicable after the expiration of the six-year period.

Please consult the relevant section of the ICO’s website (linked here) if you wish to verify our position.

Data disposal

At the end of the data retention periods set out in this Policy, DR will fully anonymise a person’s data unless that person has requested erasure or restriction of processing. If a person requests erasure or exercises their right to restrict DR’s processing of their data, DR will delete, destroy, or otherwise dispose of the data (subject to any legal obligations).

  • DR will securely delete electronic data (including any backups) from DR’s servers, mobile phones, and computers.
  • DR will securely shred any data stored in a physical format.

Where a person provides to DR an original document (such as a passport or driver’s licence), DR will store a digital copy of this document on its servers in accordance with this Policy. In this case, DR may return the original document to the person who provided it.

DR does not retain physical copies of documents from HMRC. DR scans documents from HMRC and stores the documents electronically. DR cannot provide original copies of documents from HMRC because DR shreds any physical documents received from HMRC within one month of receipt.

DR’s Data Protection Manager is responsible for processing all ‘right to erasure’ requests in accordance with this Policy and the data retention periods set out below.

Data retention

DR shall not retain any data for longer than is necessary considering the purposes for which it collected, held, and processed that data.

DR considers the following factors when establishing and/or reviewing retention periods:

  • DR’s objectives and requirements.
  • The type of data in question.
  • The purposes for which it collected, held, and processed the data.
  • The lawful basis for which it collected, held, and processed that data.
  • The category or categories of person to whom the data relates.

DR considers carefully the criteria by which it determines data retention periods. DR periodically assesses the suitability of these criteria. DR uses distinct data for different purposes and therefore retention periods vary accordingly.

Notwithstanding the following defined retention periods, DR may erase or destroy certain data before expiry of the defined retention period where it is legally permitted to do so.

Technical data:· Login detailso Security and Identification measuresAnnuallyThe earlier of the time of deletion or for the duration required to perform the contract to which the data relates.

Type of Data Purpose of Data Review Period Retention Period or Criteria
Analytics data:

· Cookies

· User identifiers

· Advertising identifiers

o To track website usage

o To track advertising campaigns

Annually 26 months
Contact data:

· Postal address

· Email address

· Telephone number

o To enter and fulfil a contract

o Business analytics and development

Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Employment data:

· Employment history

· Sector

· Job title

o To fulfil a contract

o Business analytics and development

Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Financial data:

· Bank details

· Transaction data

o To fulfil a contract Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Identity data:

· First name

· Former names

· Last name

· Marital status

· Title

· Date of birth

· National Insurance number

· Unique Tax Reference number

· Customer reference number

· IP address

o To enter and fulfil a contract

o Business analytics

and development

o Security measures

Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Identity verification data:

· Nationality

· Place of birth

· Sex

· Passport number

· Driver’s licence number

· Photo

· Next of kin

· Relatives

· Spouse

· Civil partner

· Place of birth

· Place of death

· Nature of death

· Time of death

· Officiating persons

· Witnesses

· Contact details of mentioned persons

o To perform identity verification checks

o To verify any name changes

o To verify the relevant person to receive funds in the event of a customer’s death.

Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Preferences data:

· Marketing preferences

· Communication preferences

o To correctly manage your communication and marketing preferences Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.
Tax data:

· Income (taxable or untaxable)

· Tax paid

· Taxable expenses (received and claimed)

· Tax account balance (overpaid or underpaid)

· Source of income (if pension fund)

· Pension contributions

o To fulfil a contract

o Business analytics and development

Annually The earlier of the time of deletion or 6 years from the end of the contract to which the data relates.

Contact details

DR has a privacy manager called the Data Protection Manager. For further information on DR and other aspects of our data protection and compliance policies, please contact the Data Protection Manager at: info@directredress.com

Implementation

This Policy is effective as of 12 January 2021 and applies to all data collected before, on or after this date.