General Data Protection Regulation (GDPR)
About This Policy
This Data Retention & Erasure Policy (External) relates specifically to Delegates, Client Contacts and Supplier Representatives (Data Subjects).
The policy is intended to ensure that World Business Strategies Ltd and its subsidiaries (The Quants Hub), here after known as WBS Training, processes its business records in accordance with the personal data protection principles, in particular that:
- Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by this policy.
- Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
- Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
- Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
The Data Protection Manager (DPM) is responsible for overseeing this policy. Any questions about the operation of this policy should be submitted to the DPM.
Location of Business Records
Our business records are mainly stored within our CRM/database, NAME. We may also store relevant information:
– On our internal network in shared folders;
– In cloud-based storage services such as OneDrive and Dropbox.
Keeping Information Up to Date
WBS Training needs to ensure that our business records are kept up to date and accurate. Our employees are trained to update Data Subjects’ records whenever appropriate to ensure that (i) the data is up to date and (ii) all relevant employees are able to access and use such data for legitimate business purposes.
General Principles on Retention & Erasure
WBS Training’s approach to retaining business records is to ensure that it complies with the data protection principles referred to in this policy and, in particular, to ensure that:
- Business records are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary to be used for the purpose for which they were recorded.
- Business records are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- When records are destroyed, whether held as paper records or in electronic format, WBS Training will ensure that they are safely and permanently erased.
Standard Retention & Erasure of Business Records
- WBS Training’s standard data retention period is two years from the last date on which WBS Training was in actual contact with the relevant Data Subject. If more than two years have elapsed since the WBS Training was last in contact with the Data Subject (Expiry Date), WBS Training’s process is to delete the personal data relating to such Data Subject, subject to paragraph a below.
- That the usual contract limitation period is six years and WBS Training could be required to defend itself against a breach of contract claim at any time during the limitation period. Certain personal data may be subject to an extended limitation period of up to twelve years in total where the relevant agreement has been executed as a Deed.
- Where the Expiry Date has passed but WBS Training is required to keep relevant data for the Legal Retention Period:
- Any personal data which is not needed for audit or legal defence purposes should be removed from the Data Subject’s record. This includes personal data which is (i) irrelevant and/or (ii) particularly confidential in nature.
- In some instances, a Data Subject’s record will not pass the Expiry Date because WBS Training stays in regular contact with such Data Subject. Although the record itself shall not expire under these circumstances, WBS Training shall take active steps to ensure that the personal data within the Business Record remains relevant and necessary for the purpose for which it was obtained. WBS Training shall delete any documents, notes and other types of personal data which are no longer required.
Erasure/Right To Be Forgotten Requests
A Data Subject may submit a request for erasure of their details from time to time (Erasure Request) i.e. the right to be forgotten.
Upon receipt of an Erasure Request, WBS Training shall first verify the identity of the Data Subject and then establish whether the Data Subject wishes (1) to be entirely deleted from WBS Training’s business records or (2) to remain within the WBS Training’s business records but marked as Non-Active or Do Not Contact.
(1) Erasure. If the Data Subject wishes to have their personal data erased:
- WBS Training shall process such request in accordance with the Data Subject’s instructions but WBS Training shall advise the Business Record that they may have no record of the Erasure Request and may therefore contact the Data Subject again upon subsequent receipt of the Data Subject’s details from a third party source e.g. a job board, CV search or LinkedIn.
- WBS Training shall ensure that any (i) joint Data Controlleror (ii) third party which is processing relevant Data Subject’s data on behalf of WBS Training is informed that Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request.
- WBS Training shall within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request. Where WBS Training has a legal right or duty to retain certain data for the Legal Retention Period set out above, WBS Training shall confirm to the Data Subject in writing the steps which it has taken in respect of the Erasure Request and the extent to which any data has been retained.
- If the request is manifestly unfounded or excessive, for example, because of its repetitive character, WBS Training may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
- If WBS Training is not going to respond to the request, WBS Training shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
(2) Do Not Contact. If the Data Subject wishes to have their record marked as Do Not Contact:
- WBS Training shall establish whether the Do Not Contact request is for a limited or indefinite period. WBS Training shall record the Data Subject’s decision in the relevant business record.
- Once marked as Do Not Contact, the Data Subject’s record shall then be subject to WBS Training’s standard data retention procedures and may be deleted after two years or more of inactivity, subject to any legal right or duty upon WBS Training to retain the data for the Legal Retention Period.
Sharing Data with Third Parties
- We may engage or employ other companies and individuals to perform functions on our behalf. Examples include the hosting and/or maintaining of website content, or the provision of certain features contained on the Website, and the provision of marketing services from our sponsors. Such recipients will be subject to contractual confidentiality obligations.
- If we determine in our sole discretion that we are under a legal obligation to do so, to government or law enforcement authorities.