GDPR Retention and Erasure Policy
1. Introduction
This policy explains how Stellar Phronesis Technology P.C., handles the retention and erasure of personal data. It follows GDPR and UK Data Protection Act 2018 rules. We keep data only as long as needed and delete it securely when it's no longer required.
The policy targets to:
- Limit data to its original purpose.
- Set clear timeframes for keeping data.
- Meet legal requirements.
- Minimize data by reviewing and deleting unnecessary information.
- Document everything in our Record of Processing Activities (ROPA).
2. Scope
This covers all personal data Stellar Phronesis Technology process, including for employees, customers, suppliers, and visitors. It applies to all departments.
3. Responsibilities
- Data Protection Officer (DPO): Checks compliance and reviews the policy.
- Department Heads: Manage data retention in their areas.
- IT Team: Handles secure storage and deletion.
- All Staff: Follow the policy and report issues.
4. Key Principles
- Purpose Limitation: Keep data only for the reason it was collected.
- Defined Timeframes: Use a schedule for different data types with deletion dates.
- Legal Requirements: Follow laws, like keeping tax records for 6-7 years.
- Data Minimisation: Review data yearly and delete or anonymize what's not needed.
- Documentation: Record retention reasons in our ROPA.
5. Retention Schedule
Here are common retention periods for our data:
| Category of Data | Retention Period | Rationale |
|---|---|---|
| Employee contact details | 7 years after employment ends | For contracts and legal claims |
| Payroll and financial details | 7 years after employment ends | Tax laws |
| Health data (sick leave) | 7 years after employment ends | Employment laws |
| Job applicant data | 1 year or until consent withdrawn | Based on consent |
| Customer contact details | Until relationship ends + 5 years | Business needs |
| Marketing data (newsletters) | Until unsubscribe | Based on consent |
| Supplier details | Contract duration + 7 years | Financial records |
| Access logs | 2 years | Security needs |
| Visitor logs | 1 year after visit | Safety reasons |
6. Erasure Process
When data is no longer needed:
- Flag it for deletion.
- Erase electronic data securely (overwrite or delete).
- Shred physical documents.
- Check backups and delete from there.
- Verify data is gone.
Handle erasure requests from people within 1 month.
7. Review
We review this policy every year. We tell people about retention in our privacy policy.
8. Contact
Contact the DPO at info@stellarphronesis.com for questions.
9. Approval
Approved by: Management Team, Date: February 04, 2026 Version: 1.1 Next Review: February 04, 2027