Data Retention Policy
The General Data Protection Regulation and Data Protection Act legislates where and when we have an obligation to delete data, and when we have an obligation to keep it. This policy is designed to ensure Sheppex Limited remains compliant with all current legislation regarding data retention. This means:
- We know how to recognise a request for erasure and we understand when the right applies.
- We have a policy for how to record requests we receive verbally.
- We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
- We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.
- We are aware of the circumstances when we can extend the time limit to respond to a request.
- We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.
- We have procedures in place to inform any recipients if we erase any data we have shared with them.
- We have appropriate methods in place to erase information.
Compliance with this policy is mandatory for all staff working for or on behalf
of Sheppex Ltd. They are responsible for being aware of, and complying with, the disposal of confidential waste procedures in use.
Key Points
- The GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Individuals can make a request for erasure verbally or in writing.
- You have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- The personal data is no longer necessary for the purpose which you originally collected or processed it for;
- You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- You are processing the personal data for direct marketing purposes and the individual objects to that processing;
- You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- You have to do it to comply with a legal obligation; or
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest or in the exercise of official authority;
- For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- For the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- If the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- If the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
Outside of circumstances where the right to erasure does not apply; Upon request or legal obligation, Sheppex will make every effort to ensure any personally identifiable information is permanently deleted, sufficiently that it cannot be restored, or destroyed sufficiently that it is not and cannot be legible, this applies to all locations and mediums the data is stored. Deletion and/or destruction will take place within 30 days of any legitimate request. Any deletion or ‘right to erasure’ requests will be documented for the purposes of recording compliance. We understand we cannot charge for or refuse these requests unless based on the exceptional circumstances stated in this policy.
It will be ensured any contractor disposing of records also complies with this policy and in line with the law. Sheppex also has an obligation to delete any personally identifiable information it does not either have consent to retain, or a legal obligation to retain.