Personal Data Retention Policy

Introduction

At Zuboid Courier, we take our responsibilities under the UK`s Data Protection Act (“DPA”), and the General Data Protection Regulation (“GDPR”) very seriously. This policy sets out the retention and destruction requirements of all information assets containing Personal Data held by Zuboid Courier, regardless of the form and format, whether digital or print.

This policy is for internal-use only and cannot be shared with third parties without prior authorisation from our Data Protection Manager.

Rationale

Data protection legislation contains several principles that must be followed by those who process personal or sensitive personal data. This includes the requirement that data controllers should not continue to process personal data for longer than is necessary and recognise the need for such data to be destroyed after a certain amount of time.

Data Protection Manager

Zuboid Courier’s Data Protection Manager (“DPM”) can be reached at info@zuboidcourier.com.

Responsibility

Compliance with this policy is overseen by our DPM. Managers must ensure that staff members who process personal data retain and destroy those in accordance with this policy. Staff members must ensure that they can identify when a retention period is due to expire, so that they can carry out a review and determine whether the Personal Data should be deleted or destroyed. Compliance with this policy is mandatory. Any breach of this policy may result in disciplinary action.

Policy

Zuboid Courier is required under data protection laws to ensure that information assets containing Personal Data are not retained in a form which enables the identification of individuals for any longer than is necessary for the purposes for which the Personal Data have been collected. Consequently, Zuboid Courier must be able to justify the retention of Personal Data.

When is retaining Personal Data no longer necessary and must be deleted?

When the purpose for what the Personal Data was collected for and the relevant Data Subject has been informed, is served;
When the applicable statutory or regulatory retention period has expired;
Where Personal Data is no longer relevant to an actual or potential legal claim;

Retention and Storage

In case that Personal Data is retained only for statutory or regulatory purposes or for a legal claim the following applies:

Staff member

The Staff member must ensure that:

that such data is moved out of the live environment and moved into the designated
The DPM must be informed of the

DPM

The DPM must ensure that:

Personal Data is accessible when lawfully request;
the designated archive is appropriately secured;
access is sufficiently restricted;
Personal Data is securely and permanently deleted or destroyed once the applicable statutory or regulatory retention period has expired, and the Personal Data is no longer relevant to an actual or potential legal claim;

Are there any exceptions?

In case you believe that Personal Data should be retained for a longer period please contact our DPM.

Secure Deletion and Archiving of Personal Data

Personal Data must be deleted and stored using one of the following secure methods:

Documents in electronic format must be deleted with a secure deletion utility, and standard deletion utilities should not be used;
Personal Data on hard drives, removable drives, storage devices, or any similar item must be securely erased before any disposal or reassignment of the equipment;
Personal Data that is Archived on hard drives, removable drives, storage devices, or any similar item must be organised in an orderly and organised manner and encrypted using at least AES-256;
Paper copies must be destroyed using cross-cut shredders;

Data Retention Periods Overview

Payroll and salary records

The withholding agent (generally the employer) must keep an administration of wages, including tax-exempt reimbursements. In addition, the employer needs to inform the employee on an annual basis of the total amount of wages earned, wage withholding tax, and social security withheld.

Payroll records (wages, tax and social security records, payslips, overtime compensation, bonuses, expenses, benefits in kind)

Severance pay records (e.g. notification to and consent of the competent authorities regarding dismissal, decisions of the court regarding dismissal, correspondence with the competent authorities regarding dismissal,

outplacement records, calculations of termination payments)

As long as required for the relevant purpose.

Hr/employment/pension records

Employment contract	6y
Business data and documents concerning pension schemes and related subjects	6y
Administration regarding pension scheme (by pension administrator and pension association)	6y
Data of rejected job applicants (e.g. application letters, CVs, references, certificates of good conduct, job interview notes, assessment and psychological test results)	As long as required for the relevant purpose.
Data concerning a temporary worker	6y
Reports on employee performance review meetings and assessment interviews (e.g. evaluations, employment application forms of successful applicants, copies of academic and other training received, employment contracts and their amendments, correspondence concerning appointments, appraisals, promotions, and demotions, agreements concerning activities in relation to the works council, references, and sick leave records)	6y
Employee stock purchase and options records	6y
Copies of the identification document	As long as required for the relevant purpose.
Expats records and other records relating to foreign employees (e.g. visa, work permit)	6y
Data concerning pension and early retirement	6y

Review

Zuboid Courier will continue to review the effectiveness of this Data Retention Policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required, taking into account changes in the law and organisational or security changes.