Data Retention Policy

1. Introduction

This Data Retention Policy sets out the obligations of Vicinity Trading Limited, a company registered in England and Wales, under number 10764984, whose registered office is at Commer House, Station Road, Tadcaster, LS24 9JF (“we”, “us”, “our”, “Company”) regarding the retention of personal data collected, held, and processed by us in accordance with the UK GDPR. (The UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018 (the “DPA 2018”).)

For further information on other aspects of our data protection and compliance with the UK GDPR, please refer to the Company’s Data Protection Policy (for staff) and Privacy Notice.

2. Aims and Objectives

2.1 The primary aim of this Data Retention Policy is to set out limits for the retention of personal data by us and to ensure that those limits, as well as data subject rights to erasure, are complied with. By extension, this Data Retention Policy aims to ensure that we comply fully with our obligations and the rights of data subjects under the UK GDPR.

2.2 In addition to safeguarding the rights of data subjects under the UK GDPR, by ensuring that excessive amounts of data are not retained by us, this Data Retention Policy also aims to improve the speed and efficiency of managing data.

3. Scope

3.1 This Policy applies to all personal data held by us and by third-party data processors processing personal data on our behalf.

3.2 Personal data, as held by us is stored in the following ways and in the following locations: a) our servers, located within the EEA; b) third-party servers, operated by Microsoft, WeTransfer, Google and Amazon Web Services (AWS), and located within the EEA; c) third-party servers, operated by Xero and located outside of the EEA but fully compliant with GDPR; d) third-party servers, operated by Intercom – Intercom’s privacy policy can be found at https://www.intercom.com/legal/privacy. Intercom is used to provide live chat functionality to our websites and web applications; e) third-party servers, operated by MailChimp – MailChimp’s privacy policy can be found at https://mailchimp.com/legal/privacy/ ; f) computers permanently located in our premises at Commer House, Station Road, Tadcaster, LS24 9JF; g) laptop computers and other mobile devices provided by us to our employees; h) computers and mobile devices owned by employees, agents, and sub-contractors; and i) physical records stored in Commer House, Station Road, Tadcaster, LS24 9JF.

4. Data Disposal

Upon the expiry of the data retention periods set out below in section 5 of this Data Retention Policy, or when a data subject exercises their right to have their personal data erased and we have no legal obligation to retain that personal data, personal data shall be deleted, destroyed, or otherwise disposed of as follows:

4.1 Personal data stored electronically shall be deleted securely and permanently using the most appropriate method for the type of data; and

4.2 Personal data stored in hardcopy form shall be shredded or sent for destruction by a confidential waste provider.

5. Data Retention

5.1 As stated above, and as required by law, we shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held and processed.

5.2 Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.

5.3 When establishing and/or reviewing retention periods, the following shall be taken into account: a) our objectives and requirements; b) the type of personal data in question; c) the purpose(s) for which the data in question is collected, held, and processed; d) our legal basis for collecting, holding, and processing that data; and e) the category or categories of data subject to whom the data relates.

5.4 If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.

5.5 Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made by us to do so (whether in response to a request by a data subject or otherwise):

5.5.1 data used for managing customer accounts (Customer Records) will be reviewed annually and held for a period of three years following the closure of the customer’s account. This is our company policy.

5.5.2 data used for legal documentation and contracts related to the provision of products and services (Contractual Arrangements) will be reviewed annually and held for a period of three years following contract termination. This is our company policy.

5.5.3 data used for managing and recording our financial transactions (Financial Records) will be held for a period of five years. This is HMRC policy.

5.5.4 data used for managing human resources including payroll records (Personnel Records) will be reviewed annually and held for a period of six years following the current year. This is a CIPD recommendation.

5.5.5 data used for monitoring usage or our products and services and providing customer and technical support (Support) will be reviewed annually and held for a period of two years following the closure of a subject’s account. This is our company policy.

5.5.6 data used for marketing our products and services (Marketing) will be reviewed annually and held for a period of one month following the withdrawal of a subject’s consent. This is our company policy.

6. Roles and Responsibilities

6.1 Our Data Protection Manager can be contacted using data-protection@getvicinity.com.

6.2 The Data Protection Manager shall be responsible for overseeing the implementation of this Data Retention Policy and for monitoring compliance with this Data Retention Policy, our other data protection related policies and notices (including, but not limited to our Privacy Notice), and with the UK GDPR and other applicable data protection legislation.

6.3 The Data Protection Manager shall be directly responsible for ensuring compliance with the above data retention periods throughout our organisation.

6.4 Any questions regarding this Data Retention Policy, the retention of personal data, or any other aspect of UK GDPR compliance should be referred to the Data Protection Manager.

7. Implementation of Policy

This Policy was last updated on 3 November 2021.