CALL US NOW: 0161 697 3040

Data Retention Policy

Introduction:

This Policy outlines the responsibilities of Technical Professionals Limited, operating under the trade name “LearnTech,” a registered company in England and Wales (registration number 06161067) with its registered office at 14-16 Dowgate Hill, London, EC4R 2SU (referred to as “the Company”). The Policy addresses the retention of personal data collected, held, and processed by the Company in accordance with the EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

According to the GDPR, “personal data” refers to any information relating to an identified or identifiable natural person (referred to as a “data subject”). An identifiable natural person is someone who can be directly or indirectly identified, such as by name, identification number, location data, online identifier, or specific factors related to their identity, including physical, physiological, genetic, mental, economic, cultural, or social aspects.

The GDPR also recognizes “special category” personal data, often referred to as “sensitive” personal data. This category includes data concerning a data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for identification purposes), health, sex life, or sexual orientation.

Under the GDPR, personal data should only be retained in a form that allows identification of data subjects for as long as necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods when it is processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes. However, appropriate technical and organizational measures required by the GDPR must be implemented to protect such data.

Additionally, the GDPR includes the right to erasure, commonly known as “the right to be forgotten.” Data subjects have the right to have their personal data erased (and prevent its processing) in the following circumstances:

When the personal data is no longer necessary for its original purpose of collection or processing (as mentioned above).

When the data subject withdraws their consent.

When the data subject objects to the processing of their personal data, and the Company has no overriding legitimate interest.

When the personal data is processed unlawfully (i.e., in violation of the GDPR).

When the personal data must be erased to comply with a legal obligation.

When the personal data is processed for providing information society services to a child.

This Policy outlines the types of personal data held by the Company for a) providing services to clients, b) providing services to job seekers, and c) fulfilling the Company’s legal obligations as an employer. It specifies the retention periods for such personal data, the criteria for establishing and reviewing those periods, and the procedures for deletion or disposal.

For additional information on other aspects of data protection and GDPR compliance, please refer to the Company’s Data Protection Policy.

Aims and Objectives:

  • The primary objective of this Policy is to define the limits for retaining personal data and ensure compliance with those limits and data subjects’ rights to erasure. Furthermore, it aims to ensure the Company’s full compliance with its obligations and data subjects’ rights under the GDPR. • By preventing the excessive retention of data, this Policy also aims to enhance the speed and efficiency of data management while safeguarding the rights of data subjects under the GDPR.

Scope:

This Policy applies to all personal data held by the Company and to third-party data processors who process personal data on behalf of the Company.

The Company stores personal data in the following ways and locations:

Third-party servers operated by the Company’s IT service provider, located at the provider’s server hosting premises.

Computers located at the Company’s trading office premises.

Laptop computers and other mobile devices provided by the Company to its employees.

Physical records stored in secured filing cabinets at the Company’s trading office.

Data Subject Rights and Data Integrity:

All personal data held by the Company is managed in compliance with the GDPR and the rights of data subjects as outlined in the Company’s Data Protection Policy.

Data subjects are fully informed of their rights, the personal data held by the Company, its usage as specified in Parts 12 and 13 of the Company’s Data Protection Policy, and the retention period for that personal data.

Data subjects have control over their personal data held by the Company, including the right to rectify incorrect data, request the deletion or disposal of their personal data (subject to retention periods defined in this Data Retention Policy), restrict the Company’s use of their personal data, exercise data portability rights, and avail themselves of further rights relating to automated decision-making and profiling, as described in Parts 14 to 20 of the Company’s Data Protection Policy.

Technical and Organizational Data Security Measures:

The Company has implemented the following technical measures to safeguard the security of personal data. For more details, please refer to Parts 22 to 26 of the Company’s Data Protection Policy:

Personal data may only be transmitted over secure networks.

Physical transfer of personal data should be done in suitable containers labeled as “confidential.”

Personal data must not be shared informally or outside the normal course of business.

Hardcopies and electronic copies of personal data stored on physical media must be securely stored.

Personal data may not be transferred to employees, agents, contractors, or other parties without proper authorization, regardless of whether they work on behalf of the Company or not.

Personal data must be handled with care, never left unattended or visible.

Computers used to access personal data must always be locked when unattended.

Personal data should not be stored on any mobile devices without written approval from a line manager or Company director. If approved, it must be done in accordance with instructions and limitations provided, and only for the necessary duration.

Personal data should not be transferred to personal devices of employees. It may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company if they agree to comply with the Company’s Data Protection Policy and the GDPR.

Electronic storage of personal data should be backed up daily, with encrypted offsite backups.

Electronic copies of personal data must be securely stored using passwords and encryption.

Passwords used to protect personal data must be changed regularly and meet security requirements.

Passwords must not be written down or shared. If forgotten, they must be reset using the appropriate method. IT staff do not have access to passwords.

All software should be kept up-to-date, installing security-related updates promptly.

Installation of software on Company-owned computers or devices requires approval.

When personal data held by the Company is used for marketing purposes, individuals using the data are responsible for obtaining appropriate consent and ensuring compliance with opt-outs, including those facilitated by third-party services like the TPS.

Organizational Data Security Measures:

The following organizational measures are implemented within the Company to safeguard the security of personal data. For more details, please refer to Part 27 of the Company’s Data Protection Policy:

All employees and individuals working on behalf of the Company will receive comprehensive awareness training on their individual responsibilities and the Company’s obligations under the GDPR and the Data Protection Policy.

Access to personal data held by the Company will be granted only to employees and authorized individuals who require access to perform their work responsibilities.

Adequate training will be provided to employees and individuals working on behalf of the Company who handle personal data.

Supervision will be provided to ensure appropriate handling of personal data by employees and individuals working on behalf of the Company.

Utmost care and caution should be exercised by employees and individuals when discussing any work related to personal data.

Regular evaluation and review of methods for collecting, storing, and processing personal data will be conducted.

Performance evaluations and reviews will be carried out regularly for employees and individuals handling personal data on behalf of the Company.

All employees and individuals working on behalf of the Company who handle personal data will be contractually bound to comply with the GDPR and the Data Protection Policy.

Agents, contractors, or other parties working on behalf of the Company must ensure that their relevant employees adhere to the same conditions set forth by the GDPR and the Data Protection Policy.

If any agent, contractor, or other party working on behalf of the Company fails to fulfill their obligations under the GDPR and/or the Data Protection Policy, they will be held responsible for indemnifying and protecting the Company against any costs, liabilities, damages, losses, claims, or legal proceedings arising from such failure.

Data Disposal:

Upon the expiration of the data retention periods specified in Part 7 of this Policy or when a data subject exercises their right to erasure of their personal data, the Company will undertake the following data disposal actions:

Electronically stored personal data (including backups) will be securely deleted using the method employed by the Company’s IT service provider.

Electronically stored special category personal data (including backups) will be securely deleted using the method employed by the Company’s IT service provider.

Personal data in hardcopy form will be shredded and recycled.

Special category personal data in hardcopy form will be shredded and recycled.

Data Retention:

As mentioned earlier and in compliance with legal requirements, the Company will not retain personal data for a duration longer than necessary, considering the purpose(s) for which the data is collected, held, and processed. Different types of personal data used for different purposes will be retained for varying periods, subject to periodic review, as outlined below. When determining and reviewing retention periods, the following factors will be taken into consideration:

The Company’s objectives and requirements.

The nature of the specific personal data.

The purpose(s) for collecting, holding, and processing the data.

The legal basis for collecting, holding, and processing the data.

The category or categories of data subjects to whom the data pertains. If an exact retention period cannot be specified for a particular type of data, criteria will be established to evaluate the retention of the data, ensuring regular reviews against those criteria. Notwithstanding the defined retention periods provided below, certain personal data may be deleted or disposed of before the expiration of its retention period if a decision is made by the Company to do so, whether due to a data subject’s request or other reasons. In exceptional circumstances, it may be necessary to retain personal data for extended periods for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes. Such retention will be accompanied by the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of data subjects, as mandated by the GDPR.

Note: The specific retention periods for different types of personal data are detailed in Part 7 of this Policy.