+44 (0) 1530 830930 info@clinipol.co.uk

Data Retention Policy

Introduction

This Policy sets out the obligations of Clinipol Holdings Ltd (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
This Policy sets out the type(s) of personal data held by the Company for Contract, Legal Obligation and Vital Interests purposes for which that personal data is to be retained and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.

Aims and Objectives

The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.

Scope

This Policy applies to all personal data held by the Company and by third-party data processors processing personal data on the Company’s behalf.

Personal data, as held by the Company is stored in the following ways and in the following locations:
• The Company’s servers located on the premises at Clinical Polymer Technologies Ltd;
• Computers permanently located in the Company’s;
• Laptop computers and other mobile devices provided by the Company to its employees;
• Physical records stored on the company premises;
• All system information contained on the Cloud.

Data Disposal

Upon the expiry of the data retention periods set out below of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
• Personal data stored electronically shall be electronically deleted;
• Personal data stored in hardcopy form shall be shredded.

Data Retention

As required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
Different types of personal data, used for different purposes, will necessarily be retained for different periods as set out below.
When establishing and/or reviewing retention periods, the following shall be taken into account:

• The objectives and requirements of the Company;
• The type of personal data in question;
• The purpose(s) for which the data in question is collected, held, and processed;
• The Company’s legal basis for collecting, holding, and processing that data;
• The category or categories of data subject to whom the data relates.

Employees Data

Type of Data Legal Basis Retention Period Disposal
CV Contract Up to appointment decision Hard & Electronic Copy
References Contract Up to appointment decision Hard & Electronic Copy
Passport/Driving Licence/Work Permit Legal Obligation Period of employment Hard & Electronic Copy
Contract Contract Period of employment Hard & Electronic Copy
Bank Details Legal Obligation Period of employment Hard & Electronic Copy
Pension Details and Policies Legal Obligation 12 years post exit from company Hard & Electronic Copy
Wage/Salary/overtime/bonuses/expenses Legal Obligation 6 years post exit from company Hard & Electronic Copy
Working Time Contract 2 years post exit from company Hard & Electronic Copy
Inland Revenue/HMRC Approvals Legal Obligation Permanently Hard & Electronic Copy
Redundancy Details Legal Obligation 6 years post exit from company Hard & Electronic Copy
Statutory Sick Pay Records Contract 6 years post exit from company Hard Copy Only
Holiday Request Form Contract Period of employment Hard & Electronic Copy
Accident Report Form Contract 3 years post exit from company Hard Copy Only
Medical Events Log Vital Interests 40 years post exit from company Hard Copy Only
Emails Contract Lifetime of CPT Hard & Electronic Copy
IP Address Contract Period of employment Electronic Copy Only
Focused in House Training Contract 10 years Hard & Electronic Copy
Internal Audit Form Contract 10 years Electronic Copy Only
Microbiological Testing Record Contract 10 years Electronic Copy Only
Pre-Production Validation Form Contract 10 years Hard Copy Only
Works Process Specification Form Contract 10 years Hard Copy Only
Rework Details Form Contract 10 years Hard Copy Only
Training Records Contract 3 years post exit from company Hard & Electronic Copy
WPS Change Note Contract 10 years Hard Copy Only
Images Consent Period of employment Electronic Copy Only
Emergency Contact Details Contract Period of employment Hard Copy Only

Clients Data

Type of Data

Legal Basis

Retention Period

Disposal

Contract

Contract

Period of contract

Shredded,

Electronic Deleted

Bank Details

Contract

Period of contract

Shredded,

Electronic Deleted

Invoices

Contract

10 years

Shredded,

Electronic Deleted

PO’s

Contract

10 years

Shredded,

Electronic Deleted

Credit Notes

Contract

10 years

Shredded,

Electronic Deleted

Delivery Notes

Contract

10 years

Shredded,

Electronic Deleted

Bibby Records

Contract

10 years

Shredded,

Electronic Deleted

Emails

Contract

Lifetime of CPT

Shredded,

Electronic Deleted

Customer Complaint Report

Contract

10 years

Electronic Deleted

Drawings

Contract

Lifetime of CPT

Shredded,

Electronic Deleted

Invoice Register

Contract

10 years

Shredded

Order Acknowledgement

Contract

10 years

Shredded,

Electronic Deleted

WPS Change Note

Contract

10 years

Shredded

Suppliers Data

Type of Data

Legal Basis

Retention Period

Disposal

Supplier Questionnaires

Contract

Period of contract

Shredded

Accreditation Certificates

Contract

Period of contract

Shredded

Bank Details

Contract

Period of contract

Shredded,

Electronic Deleted

Quotes

Contract

10 years

Shredded,

Electronic Deleted

Invoices

Contract

10 years

Shredded,

Electronic Deleted

PO’s

Contract

10 years

Shredded,

Electronic Deleted

Credit Notes

Contract

10 years

Shredded,

Electronic Deleted

Collection Notes

Contract

10 years

Shredded,

Electronic Deleted

Delivery Notes

Contract

10 years

Shredded,

Electronic Deleted

CoC

Contract

10 years

Shredded,

Electronic Deleted

Emails

Contract

Lifetime of CPT

Shredded,

Electronic Deleted

External Audit Form

Contract

Period of contract

Shredded,

Electronic Deleted

Purchase Order Request Form

Contract

10 years

Shredded,

Electronic Deleted

Order Acknowledgement

Contract

10 years

Shredded,

Electronic Deleted

Permit to Work

Contract

Period of contract

Shredded,

Electronic Deleted

Roles and Responsibilities

The Company’s Data Organiser is Colin Wadsworth (Quality Manager).
The Data Organiser is responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.
Any questions regarding this Policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Organiser.

Implementation of Policy

This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: Colin Wadsworth
Position: Data Organiser
Date: 25.05.2018
Signature: 

Colin Wadsworth