Data Retention Policy - Zuboid Courier
Introduction
At Zuboid Courier, we take our responsibilities under the UK’s Data Protection Act (“DPA”) and the General Data Protection Regulation (“GDPR”) very seriously. This policy sets out the retention and destruction requirements of all information assets containing Personal Data held by Zuboid Courier, regardless of the form and format, whether digital or print.
This policy is for internal use only and cannot be shared with third parties without prior authorization from our Data Protection Manager.
Rationale
Data protection legislation contains several principles that must be followed by those who process personal or sensitive personal data. This includes the requirement that data controllers should not continue to process personal data for longer than necessary and recognize the need for such data to be destroyed after a certain period.
Data Protection Manager
Zuboid Courier’s Data Protection Manager (“DPM”) can be reached at info@zuboidcourier.com.
Responsibility
Compliance with this policy is overseen by our DPM. Managers must ensure that staff members who process personal data retain and destroy it in accordance with this policy. Staff members must ensure that they can identify when a retention period is due to expire, so they can review and determine whether the Personal Data should be deleted or destroyed. Compliance with this policy is mandatory. Any breach of this policy may result in disciplinary action.
Policy
Zuboid Courier is required under data protection laws to ensure that information assets containing Personal Data are not retained in a form that enables the identification of individuals for any longer than necessary for the purposes for which the Personal Data was collected.
When is retaining Personal Data no longer necessary?
- When the purpose for which the Personal Data was collected has been served.
- When the applicable statutory or regulatory retention period has expired.
- Where Personal Data is no longer relevant to an actual or potential legal claim.
Retention and Storage
Staff Member Responsibilities
- Ensure such data is moved out of the live environment and into the designated archive.
- Inform the DPM of the transfer.
DPM Responsibilities
- Ensure Personal Data is accessible when lawfully requested.
- Ensure the designated archive is appropriately secured.
- Restrict access sufficiently.
- Ensure Personal Data is securely and permanently deleted or destroyed once the applicable statutory or regulatory retention period has expired.
Are there any exceptions?
If you believe that Personal Data should be retained for a longer period, please contact our DPM.
Secure Deletion and Archiving of Personal Data
- Documents in electronic format must be deleted with a secure deletion utility.
- Personal Data on hard drives, removable drives, and storage devices must be securely erased before disposal.
- Archived Personal Data must be organized securely and encrypted using at least AES-256.
- Paper copies must be destroyed using cross-cut shredders.
For any inquiries, contact: info@zuboidcourier.com
Data Retention Periods Overview
Payroll and salary records
| The withholding agent (generally the employer) must keep an administration of wages, including tax-exempt reimbursements. In addition, the employer needs to inform the employee on an annual basis of the total amount of wages earned, wage withholding tax, and social security withheld. | 6y |
| Payroll records (wages, tax and social security records, payslips, overtime compensation, bonuses, expenses, benefits in kind) | 6y |
| Severance pay records (e.g. notification to and consent of the competent authorities regarding dismissal, decisions of the court regarding dismissal, correspondence with the competent authorities regarding dismissal, outplacement records, calculations of termination payments) | As long as required for the relevant purpose. |
| Employment contract | 6y |
| Business data and documents concerning pension schemes and related subjects | 6y |
| Administration regarding pension scheme (by pension administrator and pension association) | 6y |
| Data of rejected job applicants (e.g. application letters, CVs, references, certificates of good conduct, job interview notes, assessment and psychological test results) | As long as required for the relevant purpose |
| Data concerning a temporary worker | 6y |
| Reports on employee performance review meetings and assessment interviews (e.g. evaluations, employment application forms of successful applicants, copies of academic and other training received, employment contracts and their amendments, correspondence concerning appointments, appraisals, promotions, and demotions, agreements concerning activities in relation to the works council, references, and sick leave records) | 6y |
| Employee stock purchase and options records | 6y |
| Copies of the identification document | As long as required for the relevant purpose |
| Expats records and other records relating to foreign employees (e.g. visa, work permit) | 6y |
| Data concerning pension and early retirement | 6y |
Review
Zuboid Courier will continue to review the effectiveness of this Data Retention Policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required, taking into account changes in the law and organisational or security changes.
