Greengage Data Retention Policy
(for the Protection of Personal Information)
Purpose of this Data Retention Policy
Greengage must comply with its obligations under data protection laws (including GDPR and The Data Protection Act 2018) whenever it processes Personal Data relating to customers, suppliers, staff and any other individuals the Firm interacts with.
Requirements
Greengage is required under data protection laws to ensure that Information Assets containing Personal Data are not retained in a form which enables the identification of individuals for any longer than is necessary for the purposes for which the Personal Data has been collected. Greengage must be able to justify any retention of Personal Data to the authority responsible for enforcing data protection laws in the UK. .
In practice what this means is that the Greengage must not retain the Personal Data contained within Information Assets for any longer than is necessary:
-
For the operational purpose that the Personal Data was collected for, and which the relevant Data Subject has been informed of (i.e. in relevant privacy notices);
-
In order to comply with any applicable statutory or regulatory retention requirements; or
-
To enable the Company to exercise its legal rights and/or defend against legal claims.
Where a statutory or regulatory retention requirement applies, or where data is relevant to an actual or potential legal claim, only the specific Personal Data which is required to be retained in order to meet the statutory/regulatory retention requirement or for a legal claim, should be retained for those purposes.
Personal Data may also be retained for a longer period if it is solely for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures which are required by data protection laws, in order to safeguard the rights and freedoms of the Data Subject.
Greengage is required to take a proportionate approach to data retention, balancing the Firm’s needs with the impact of retention on Data Subjects’ privacy. Greengage also needs to comply with all other aspects of data protection laws in relation to the Personal Data that it retains, including ensuring that its retention is fair and lawful and that it is secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Guideline data retention periods for different types of Personal Data are followed by all Staff and detailed within Greengage’s Data Retention Matrix. Earlier deletion may be appropriate in some circumstances.
Greengage will ensure that any request received from a Data Subject asking it to delete or destroy their Personal Data under the ‘right to be forgotten’ is dealt with in accordance with data protection laws. Any such request should be dealt with in accordance with our Privacy Policy, which can be viewed at: - https://greengage.co/privacy-policy