External Data Retention and Erasure Policy
About This Policy
This Data Retention & Erasure Policy (External) relates specifically to Candidates, Referees, Client Contacts and Supplier Representatives (Data Subjects).
For information about data retention relating to Applicants and Employees, you should refer to our Internal Data Retention Policy.
The policy is intended to ensure that 3R Holdings and associated companies processes its business records in accordance with the personal data protection principles, in particular that:
- Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by this policy.
- Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
- Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
The DPM (Christopher Powell) is responsible for overseeing this policy. Any questions about the operation of this policy should be submitted to the DPM dpo@3r.co.uk
Location of Business Records
Our business records are mainly stored within our CRM/database. We may also store relevant information:
- On our internal network in shared folders;
- In cloud-based storage services such as OneDrive and Dropbox
Keeping Information Up To Date
Company needs to ensure that our business records are kept up to date and accurate. Our employees are trained to update Data Subjects’ records whenever appropriate to ensure that (i) the data is up to date and (ii) all relevant employees are able to access and use such data for legitimate business purposes.
General Principles on Retention & Erasure
Company’s approach to retaining business records is to ensure that it complies with the data protection principles referred to in this policy and, in particular, to ensure that:
- Business records are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary to be used for the purpose for which they were recorded.
- Business records are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- When records are destroyed, whether held as paper records or in electronic format, Company will ensure that they are safely and permanently erased.
Our Lawful Basis for Processing Data
- Company’s standard data retention period is two years from the last date on which Company was in actual contact with the relevant Data Subject. If more than two years have elapsed since the Company was last in contact with the Data Subject (Expiry Date), Company’s process is to delete the personal data relating to such Data Subject, subject to paragraph 2 below.
- If the Data Subject is a Candidate who Company has placed in a permanent or temporary role with a Client, Company will usually retain the Candidate’s personal data for a period of two years from the date on which the Candidate was placed with the Client (Legal Retention Period). The reasons for the Legal Retention Period are:
- That the usual contract limitation period is six years and Company could be required to defend itself against a breach of contract claim at any time during the limitation period. Certain personal data may be subject to an extended limitation period of up to twelve years in total where the relevant agreement has been executed as a deed.
- It is a common provision in Client agreements that Company must for a period of not less than six years retain complete records of the recruitment activities which were carried out in the course of performing the contract; and
- Where Company has placed the Candidate in a temporary role, Company is required by HMRC to retain a full audit trail of payments and receipts in respect of such temporary supply for the remainder of the relevant financial year plus a further six years i.e. up to seven years in total.
- Where the Expiry Date has passed but Company is required to keep relevant data for the Legal Retention Period:
- Any personal data which is not needed for audit or legal defence purposes should be removed from the Data Subject’s record. This includes personal data which is (i) irrelevant and/or (ii) particularly confidential in nature.
- The Data Subject’s data shall not be used in the course of usual recruitment activities but shall instead be marked as Archived/Pending Deletion for the remainder of the Legal Retention Period.
- Contact between the Data Subject and Company may be re-established. In such event, the Data Subject’s record may be marked as Active once again but any irrelevant and/or expired data should still be removed from the business record to ensure that it remains up to date and relevant.
- In some instances, a Data Subject’s record will not pass the Expiry Date because Company stays in regular contact with such Data Subject. Although the record itself shall not expire under these circumstances, Company shall take active steps to ensure that the personal data within the Business Record remains relevant and necessary for the purpose for which it was obtained. Company shall delete any documents, notes and other types of personal data which are no longer required.
Erasure/Right To Be Forgotten Requests
A Data Subject may submit a request for erasure of their details from time to time (Erasure Request) i.e. the right to be forgotten.
Upon receipt of an Erasure Request, Company shall first verify the identity of the Data Subject and then establish whether the Data Subject wishes (1) to be entirely deleted from Company’s business records or (2) to remain within the Company’s business records but marked as Non-Active.
- Erasure. If the Data Subject wishes to have their personal data erased:
- Company shall process such request in accordance with the Data Subject’s instructions but Company shall advise the Business Record that they may have no record of the Erasure Request and may therefore contact the Data Subject again upon subsequent receipt of the Data Subject’s details from a third party source e.g. a job board, CV search or LinkedIn.
- Company shall ensure that any (i) joint Data Controller or (ii) third party which is processing relevant Data Subject’s data on behalf of Company is informed that Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request.
- Company shall within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request. Where Company has a legal right or duty to retain certain data for the Legal Retention Period set out above, Company shall confirm to the Data Subject in writing the steps which it has taken in respect of the Erasure Request and the extent to which any data has been retained.
- f the request is manifestly unfounded or excessive, for example, because of its repetitive character, Company may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
- If Company is not going to respond to the request, Company shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
- Do Not Contact. If the Data Subject wishes to have their record marked as Do Not Contact:
- Company shall establish whether the Do Not Contact request is for a limited or indefinite period. Company shall record the Data Subject’s decision in the relevant business record.
- Once marked as Do Not Contact, the Data Subject’s record shall then be subject to Company’s standard data retention procedures and may be deleted after two years or more of inactivity, subject to any legal right or duty upon Company to retain the data for the Legal Retention Period.