Data Retention Policy

Down­load and print the con­tent on this page


1. Purpose, Scope, and Users

This pol­i­cy sets the required reten­tion peri­ods for spec­i­fied cat­e­gories of per­son­al data and sets out the min­i­mum stan­dards to be applied when destroy­ing cer­tain infor­ma­tion with­in iCon­nect (fur­ther: the “Com­pa­ny”).

This Pol­i­cy applies to all busi­ness units, process­es, and sys­tems in all coun­tries in which the Com­pa­ny con­ducts busi­ness and has deal­ings or oth­er busi­ness rela­tion­ships with third parties.

This Pol­i­cy applies to all Com­pa­ny offi­cers, direc­tors, employ­ees, agents, affil­i­ates, con­trac­tors, con­sul­tants, advi­sors or ser­vice providers that may col­lect, process, or have access to data (includ­ing per­son­al data and/or sen­si­tive per­son­al data).  It is the respon­si­bil­i­ty of all of the above to famil­iarise them­selves with this Pol­i­cy and ensure ade­quate com­pli­ance with it.

This pol­i­cy applies to all infor­ma­tion used at the Com­pa­ny. Exam­ples of doc­u­ments include:

  • Emails
  • Hard copy documents
  • Soft copy documents
  • Video and audio
  • Data gen­er­at­ed by phys­i­cal access con­trol systems


2. Reference Documents

  • EU GDPR 2016/679 (Reg­u­la­tion (EU) 2016/679 of the Euro­pean Par­lia­ment and of the Coun­cil of 27 April 2016 on the pro­tec­tion of nat­ur­al per­sons with regard to the pro­cess­ing of per­son­al data and on the free move­ment of such data, and repeal­ing Direc­tive 95/46/EC)
  • Per­son­al Data Pro­tec­tion Policy


3. Retention Rules

3.1.Retention General Principle

In the event, for any cat­e­go­ry of doc­u­ments not specif­i­cal­ly defined else­where in this Pol­i­cy (and in par­tic­u­lar with­in the Data Reten­tion Sched­ule) and unless oth­er­wise man­dat­ed dif­fer­ent­ly by applic­a­ble law, the required reten­tion peri­od for such doc­u­ment will be deemed to be 3 years from the date of cre­ation of the document.

3.2.Retention General Schedule

The Data Pro­tec­tion Offi­cer defines the time peri­od for which the doc­u­ments and elec­tron­ic records should to be retained through the Data Reten­tion Schedule.

As an exemp­tion, reten­tion peri­ods with­in Data Reten­tion Sched­ule can be pro­longed in cas­es such as:

  • Ongo­ing inves­ti­ga­tions from Mem­ber States author­i­ties, if there is a chance records of per­son­al data are need­ed by the Com­pa­ny to prove com­pli­ance with any legal require­ments; or
  • When exer­cis­ing legal rights in cas­es of law­suits or sim­i­lar court pro­ceed­ing rec­og­nized under local law.

3.3.Safeguarding of Data during Retention Period

The pos­si­bil­i­ty that data media used for archiv­ing will wear out shall be con­sid­ered. If elec­tron­ic stor­age media are cho­sen, any pro­ce­dures and sys­tems ensur­ing that the infor­ma­tion can be accessed dur­ing the reten­tion peri­od (both with respect to the infor­ma­tion car­ri­er and the read­abil­i­ty of for­mats) shall also be stored in order to safe­guard the infor­ma­tion against loss as a result of future tech­no­log­i­cal changes. The respon­si­bil­i­ty for the stor­age falls to the Data Pro­tec­tion Officer.

3.4.Destruction of Data

The Com­pa­ny and its employ­ees should there­fore, on a reg­u­lar basis, review all data, whether held elec­tron­i­cal­ly on their device or on paper, to decide whether to destroy or delete any data once the pur­pose for which those doc­u­ments were cre­at­ed is no longer rel­e­vant. See Appen­dix for the reten­tion sched­ule. Over­all respon­si­bil­i­ty for the destruc­tion of data falls to the Data Pro­tec­tion Officer.

Once the deci­sion is made to dis­pose accord­ing to the Reten­tion Sched­ule, the data should be delet­ed, shred­ded or oth­er­wise destroyed to a degree equiv­a­lent to their val­ue to oth­ers and their lev­el of con­fi­den­tial­i­ty.  The method of dis­pos­al varies and is depen­dent upon the nature of the doc­u­ment.  For exam­ple, any doc­u­ments that con­tain sen­si­tive or con­fi­den­tial infor­ma­tion (and par­tic­u­lar­ly sen­si­tive per­son­al data) must be dis­posed of as con­fi­den­tial waste and be sub­ject to secure elec­tron­ic dele­tion; some expired or super­seded con­tracts may only war­rant in-house shred­ding.  The Doc­u­ment Dis­pos­al Sched­ule sec­tion below defines the mode of disposal.

In this con­text, the employ­ee shall per­form the tasks and assume the respon­si­bil­i­ties rel­e­vant for the infor­ma­tion destruc­tion in an appro­pri­ate way. The spe­cif­ic dele­tion or destruc­tion process may be car­ried out either by an employ­ee or by an inter­nal or exter­nal ser­vice provider that the Data Pro­tec­tion Offi­cer sub­con­tracts for this pur­pose.  Any applic­a­ble gen­er­al pro­vi­sions under rel­e­vant data pro­tec­tion laws and the Company’s Per­son­al Data Pro­tec­tion Pol­i­cy shall be com­plied with.

Appro­pri­ate con­trols shall be in place that pre­vents the per­ma­nent loss of essen­tial infor­ma­tion of the com­pa­ny as a result of mali­cious or unin­ten­tion­al destruc­tion of infor­ma­tion – these con­trols are described in the company’s IT Secu­ri­ty Policy.

The Data Pro­tec­tion Offi­cer shall ful­ly doc­u­ment and approve the destruc­tion process.  The applic­a­ble statu­to­ry require­ments for the destruc­tion of infor­ma­tion, par­tic­u­lar­ly require­ments under applic­a­ble data pro­tec­tion laws, shall be ful­ly observed.

3.5.Breach, Enforcement and Compliance

The per­son appoint­ed with respon­si­bil­i­ty for Data Pro­tec­tion, the Data Pro­tec­tion Offi­cer has the respon­si­bil­i­ty to ensure that each of the Company’s offices com­plies with this Pol­i­cy.  It is also the respon­si­bil­i­ty of the Data Pro­tec­tion Offi­cer to assist any local office with enquiries from any local data pro­tec­tion or gov­ern­men­tal authority.

Any sus­pi­cion of a breach of this Pol­i­cy must be report­ed imme­di­ate­ly to Data Pro­tec­tion Offi­cer. All instances of sus­pect­ed breach­es of the Pol­i­cy shall be inves­ti­gat­ed and action tak­en as appropriate.

Fail­ure to com­ply with this Pol­i­cy may result in adverse con­se­quences, includ­ing, but not lim­it­ed to, loss of cus­tomer con­fi­dence, lit­i­ga­tion and loss of com­pet­i­tive advan­tage, finan­cial loss and dam­age to the Company’s rep­u­ta­tion, per­son­al injury, harm or loss. Non-com­pli­ance with this Pol­i­cy by per­ma­nent, tem­po­rary or con­tract employ­ees, or any third par­ties, who have been grant­ed access to Com­pa­ny premis­es or infor­ma­tion, may there­fore result in dis­ci­pli­nary pro­ceed­ings or ter­mi­na­tion of their employ­ment or con­tract. Such non-com­pli­ance may also lead to legal action against the par­ties involved in such activities.


4.     Document Disposal

4.1.Routine Disposal Schedule

Records which may be rou­tine­ly destroyed unless sub­ject to an on-going legal or reg­u­la­to­ry inquiry are as follows:

  • Announce­ments and notices of day-to-day meet­ings and oth­er events includ­ing accep­tances and apologies;
  • Requests for ordi­nary infor­ma­tion such as trav­el directions;
  • Reser­va­tions for inter­nal meet­ings with­out charges / exter­nal costs;
  • Trans­mis­sion doc­u­ments such as let­ters, fax cov­er sheets, e‑mail mes­sages, rout­ing slips, com­pli­ments slips and sim­i­lar items that accom­pa­ny doc­u­ments but do not add any value;
  • Mes­sage slips;
  • Super­seded address list, dis­tri­b­u­tion lists etc.;
  • Dupli­cate doc­u­ments such as CC and FYI copies, unal­tered drafts, snap­shot print­outs or extracts from data­bas­es and day files;
  • Stock in-house pub­li­ca­tions which are obso­lete or super­seded; and
  • Trade mag­a­zines, ven­dor cat­a­logues, fly­ers and newslet­ters from ven­dors or oth­er exter­nal organizations.

In all cas­es, dis­pos­al is sub­ject to any dis­clo­sure require­ments which may exist in the con­text of litigation.

4.2.Destruction Method

Lev­el I doc­u­ments are those that con­tain infor­ma­tion that is of the high­est secu­ri­ty and con­fi­den­tial­i­ty and those that include any per­son­al data. These doc­u­ments shall be dis­posed of as con­fi­den­tial waste (cross-cut shred­ded and incin­er­at­ed) and shall be sub­ject to secure elec­tron­ic dele­tion. Dis­pos­al of the doc­u­ments should include proof of destruction.

Lev­el II doc­u­ments are pro­pri­etary doc­u­ments that con­tain con­fi­den­tial infor­ma­tion such as par­ties’ names, sig­na­tures and address­es, or which could be used by third par­ties to com­mit fraud, but which do not con­tain any per­son­al data. The doc­u­ments should be cross-cut shred­ded and then placed into locked rub­bish bins for col­lec­tion by an approved dis­pos­al firm, and elec­tron­ic doc­u­ments will be sub­ject to secure elec­tron­ic deletion.

Lev­el III doc­u­ments are those that do not con­tain any con­fi­den­tial infor­ma­tion or per­son­al data and are pub­lished Com­pa­ny doc­u­ments. These should be strip-shred­ded or dis­posed of through a recy­cling com­pa­ny and include, among oth­er things, adver­tise­ments, cat­a­logues, fly­ers, and newslet­ters. These may be dis­posed of with­out an audit trail.


5.     Managing Records Kept on the Basis of this Document

Record nameStor­age locationPer­son respon­si­ble for storageCon­trols for record protectionReten­tion time
Data Reten­tion ScheduleData Pro­tec­tion Officer’s Google DriveData Pro­tec­tion OfficerOnly autho­rized per­sons may access this documentPer­ma­nent­ly


6.     Validity and document management

This doc­u­ment is valid as of March 2018

The own­er of this doc­u­ment is the Data Pro­tec­tion Offi­cer who must check and, if nec­es­sary, update the doc­u­ment at least once a year.


7.     Appendices

Appen­dix – Data Reten­tion Schedule

Finan­cial Records

Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Pay­roll recordsSev­en years after auditFinance
Sup­pli­er contractsSev­en years after con­tract is terminatedFinance
Chart of AccountsPer­ma­nentFinance
Fis­cal Poli­cies and ProceduresPer­ma­nentFinance
Per­ma­nent AuditsPer­ma­nentFinance
Finan­cial statementsPer­ma­nentFinance
Gen­er­al LedgerPer­ma­nentFinance
Invest­ment records (deposits, earn­ings, withdrawals)7 yearsFinance
Invoic­es7 yearsFinance
Can­celled checks7 yearsFinance
Bank deposit slips7 yearsFinance
Busi­ness expens­es documents7 yearsFinance
Check registers/books7 yearsFinance
Property/asset inven­to­ries7 yearsFinance
Cred­it card receipts3 yearsFinance
Pet­ty cash receipts/documents3 yearsFinance


Busi­ness Records

Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Arti­cle of Incor­po­ra­tion to apply for cor­po­rate statusPer­ma­nentFinance
Board poli­ciesPer­ma­nentFinance
Board meet­ing minutesPer­ma­nentFinance
Tax or employ­ee iden­ti­fi­ca­tion num­ber designationPer­ma­nentFinance
Office and team meet­ing minutesFinance
Annu­al cor­po­rate filingsPer­ma­nentFinance


HR: Employ­ee Records

Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Dis­ci­pli­nary, griev­ance pro­ceed­ings records, oral/verbal, writ­ten, final warn­ings, appealsAs per legal requirementHR
Appli­ca­tions for jobs, inter­view notes – Recruitment/promotion pan­el Inter­nal Where the can­di­date is unsuc­cess­ful Where the can­di­date is successfulDelet­ed immediately
Dura­tion of employment
Pay­roll input forms, wages/salary records, overtime/bonus pay­ments Pay­roll sheets, copies7 yearsHR
Bank details – currentDura­tion of employmentHR
Payrolls/wagesDura­tion of employmentHR
Job his­to­ry includ­ing staff per­son­al records: contract(s), Ts & Cs; pre­vi­ous ser­vice dates; pay and pen­sion his­to­ry, pen­sion esti­mates, resignation/termination lettersAs per legal requirementHR
Employ­ee address detailsDura­tion of employmentHR
Expense claimsAs per legal requirementHR
Annu­al leave recordsDura­tion of employmentHR
Acci­dent books

Acci­dent reports and correspondence

As per legal requirementHR
Cer­tifi­cates and self-cer­tifi­cates unre­lat­ed to work­place injury; statu­to­ry sick pay formsAs per legal requirementHR
Pregnancy/childbirth cer­ti­fi­ca­tionAs per legal requirementHR
Parental leaveDura­tion of employmentHR
Mater­ni­ty pay records and calculationsAs per legal requirementHR
Redun­dan­cy details, pay­ment cal­cu­la­tions, refunds, notificationsAs per legal requirementHR
Train­ing and devel­op­ment recordsDura­tion of employmentHR



Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Con­tract amendmentsPer­ma­nentFinance
Suc­cess­ful ten­der documentsPer­ma­nentFinance
Unsuc­cess­ful ten­ders’ documentsPer­ma­nentFinance
Ten­der – user require­ments, spec­i­fi­ca­tion, eval­u­a­tion cri­te­ria, invitationPer­ma­nentFinance
Con­trac­tors’ reportsPer­ma­nentFinance
Oper­a­tion and mon­i­tor­ing, eg complaintsPer­ma­nentFinance


Cus­tomer Data 

Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Plat­form data – inclu­sive of Video data, com­ments, attach­ments, pro­file pic­ture, email address, first and sec­ond nameRetained whilst organ­i­sa­tion remains a cus­tomer or delet­ed by user. Once an organ­i­sa­tion requests all records to be delet­ed, data will be removed from the back-ups with­in 9 monthsCus­tomer
Live chat historyRecords delet­ed after 1 yearSup­port
Screen record­ings from sup­port sessionAuto­mat­i­cal­ly delet­ed after 90 daysSup­port
CRM data – inclu­sive of Name, Email address, mobile num­ber, address, emails and phone call sum­maries, DPO informationRetained whilst organ­i­sa­tion remains a cus­tomer or delet­ed by user. Once an organ­i­sa­tion requests all records to be delet­ed, data will be removed from the back-ups with­in X monthsSup­port
Met­rics dataRetained whilst organ­i­sa­tion remains a cus­tomer or delet­ed by user. Once an organ­i­sa­tion requests all records to be delet­ed, data will be anonymisedDevel­op­ment Team


Non — Cus­tomer Data 

Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Name, email addressKept until per­son unsub­scribes / requests to be removed from systemMar­ket­ing & Sales
Call record­ingsAuto­mat­i­cal­ly delet­ed after 6 monthsSales



Per­son­al data record categoryMan­dat­ed reten­tion periodRecord own­er
Recy­cle BinsCleared month­lyIndi­vid­ual employee
Down­loadsCleared month­lyIndi­vid­ual employee
InboxAll emails con­tain­ing PII attach­ments delet­ed after 3 years.Indi­vid­ual employee
Delet­ed EmailsCleared month­lyIndi­vid­ual employee
Per­son­al Net­work DriveReviewed quar­ter­ly, any doc­u­ments con­tain­ing PII delet­ed after 3 yearsIndi­vid­ual employee
Local Dri­ves & filesMoved to net­work dri­ve month­ly, then delet­ed from local driveIndi­vid­ual employee
Google Dri­ves, drop boxReviewed quar­ter­ly, any doc­u­ments con­tain­ing PII delet­ed after 3 yearsIndi­vid­ual employee

Edit­ed & cus­tomised by:

iCon­nect LTD

Unit 11, Hove Busi­ness Cen­tre, Fonthill Rd, Hove BN3 6HA