Data Retention Policy
Introduction
This Policy sets out the obligations of Clinipol Holdings Ltd (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
This Policy sets out the type(s) of personal data held by the Company for Contract, Legal Obligation and Vital Interests purposes for which that personal data is to be retained and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.
Aims and Objectives
The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.
Scope
This Policy applies to all personal data held by the Company and by third-party data processors processing personal data on the Company’s behalf.
Personal data, as held by the Company is stored in the following ways and in the following locations:
• The Company’s servers located on the premises at Clinical Polymer Technologies Ltd;
• Computers permanently located in the Company’s;
• Laptop computers and other mobile devices provided by the Company to its employees;
• Physical records stored on the company premises;
• All system information contained on the Cloud.
Data Disposal
Upon the expiry of the data retention periods set out below of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
• Personal data stored electronically shall be electronically deleted;
• Personal data stored in hardcopy form shall be shredded.
Data Retention
As required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
Different types of personal data, used for different purposes, will necessarily be retained for different periods as set out below.
When establishing and/or reviewing retention periods, the following shall be taken into account:
• The objectives and requirements of the Company;
• The type of personal data in question;
• The purpose(s) for which the data in question is collected, held, and processed;
• The Company’s legal basis for collecting, holding, and processing that data;
• The category or categories of data subject to whom the data relates.
Employees Data
| Type of Data | Legal Basis | Retention Period | Disposal |
| CV | Contract | Up to appointment decision | Hard & Electronic Copy |
| References | Contract | Up to appointment decision | Hard & Electronic Copy |
| Passport/Driving Licence/Work Permit | Legal Obligation | Period of employment | Hard & Electronic Copy |
| Contract | Contract | Period of employment | Hard & Electronic Copy |
| Bank Details | Legal Obligation | Period of employment | Hard & Electronic Copy |
| Pension Details and Policies | Legal Obligation | 12 years post exit from company | Hard & Electronic Copy |
| Wage/Salary/overtime/bonuses/expenses | Legal Obligation | 6 years post exit from company | Hard & Electronic Copy |
| Working Time | Contract | 2 years post exit from company | Hard & Electronic Copy |
| Inland Revenue/HMRC Approvals | Legal Obligation | Permanently | Hard & Electronic Copy |
| Redundancy Details | Legal Obligation | 6 years post exit from company | Hard & Electronic Copy |
| Statutory Sick Pay Records | Contract | 6 years post exit from company | Hard Copy Only |
| Holiday Request Form | Contract | Period of employment | Hard & Electronic Copy |
| Accident Report Form | Contract | 3 years post exit from company | Hard Copy Only |
| Medical Events Log | Vital Interests | 40 years post exit from company | Hard Copy Only |
| Emails | Contract | Lifetime of CPT | Hard & Electronic Copy |
| IP Address | Contract | Period of employment | Electronic Copy Only |
| Focused in House Training | Contract | 10 years | Hard & Electronic Copy |
| Internal Audit Form | Contract | 10 years | Electronic Copy Only |
| Microbiological Testing Record | Contract | 10 years | Electronic Copy Only |
| Pre-Production Validation Form | Contract | 10 years | Hard Copy Only |
| Works Process Specification Form | Contract | 10 years | Hard Copy Only |
| Rework Details Form | Contract | 10 years | Hard Copy Only |
| Training Records | Contract | 3 years post exit from company | Hard & Electronic Copy |
| WPS Change Note | Contract | 10 years | Hard Copy Only |
| Images | Consent | Period of employment | Electronic Copy Only |
| Emergency Contact Details | Contract | Period of employment | Hard Copy Only |
Clients Data
|
Type of Data |
Legal Basis |
Retention Period |
Disposal |
|
Contract |
Contract |
Period of contract |
Shredded, Electronic Deleted |
|
Bank Details |
Contract |
Period of contract |
Shredded, Electronic Deleted |
|
Invoices |
Contract |
10 years |
Shredded, Electronic Deleted |
|
PO’s |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Credit Notes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Delivery Notes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Bibby Records |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Emails |
Contract |
Lifetime of CPT |
Shredded, Electronic Deleted |
|
Customer Complaint Report |
Contract |
10 years |
Electronic Deleted |
|
Drawings |
Contract |
Lifetime of CPT |
Shredded, Electronic Deleted |
|
Invoice Register |
Contract |
10 years |
Shredded |
|
Order Acknowledgement |
Contract |
10 years |
Shredded, Electronic Deleted |
|
WPS Change Note |
Contract |
10 years |
Shredded |
Suppliers Data
|
Type of Data |
Legal Basis |
Retention Period |
Disposal |
|
Supplier Questionnaires |
Contract |
Period of contract |
Shredded |
|
Accreditation Certificates |
Contract |
Period of contract |
Shredded |
|
Bank Details |
Contract |
Period of contract |
Shredded, Electronic Deleted |
|
Quotes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Invoices |
Contract |
10 years |
Shredded, Electronic Deleted |
|
PO’s |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Credit Notes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Collection Notes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Delivery Notes |
Contract |
10 years |
Shredded, Electronic Deleted |
|
CoC |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Emails |
Contract |
Lifetime of CPT |
Shredded, Electronic Deleted |
|
External Audit Form |
Contract |
Period of contract |
Shredded, Electronic Deleted |
|
Purchase Order Request Form |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Order Acknowledgement |
Contract |
10 years |
Shredded, Electronic Deleted |
|
Permit to Work |
Contract |
Period of contract |
Shredded, Electronic Deleted |
Roles and Responsibilities
The Company’s Data Organiser is Colin Wadsworth (Quality Manager).
The Data Organiser is responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.
Any questions regarding this Policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Organiser.
Implementation of Policy
This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: Colin Wadsworth
Position: Data Organiser
Date: 25.05.2018
Signature: