Data Retention and Erasure
Intelligent Business Transfer Ltd will not store data any longer than is necessary, for the purposes it is being processed. Personal data will be securely disposed of or “put beyond use” when no longer required.
|Categories of Individuals||Data Storage Location||Method of Deletion|
|Employees||Finance payroll system||Hard delete|
|Employees||Finance pension system||Hard delete|
|Employees||HR personel system||Hard delete|
|Successful candidates, Unsuccessful Candidates||HR Recrtuiment system||Hard delete|
|Business Buyers, Business Sellers||T:\Business for Sale\, CRM System, Filed Hard Copy||T Drive: Hard Delete, CRM: Retreivable for 30 days then anonymised, Hard Copy: Shredded|
|Business Buyers, Business Sellers, Prospective Buyers, Prospective Sellers||CRM System, Pipedrive, Third Party Marketing Platforms||CRM: Retreivable for 30 days then anonymised. Third Party Platforms: Data will be deleted from the platform(s) (subject to the third parties’ data erasure procedure)|
Data sharing and erasure procedures
- If an individual requests their data, it will be provided securely, in full and as quickly as is realistically possible.
- If an individual requests for their data to be deleted, this will be completed in accordance with the table shown above, as quickly as is realistically possible.
If an individual makes a request to see their data, this will be passed on to the data processor so it can be logged and the data can be securely provided to the individual.
If an individual makes a request for their data to be deleted, this will be passed on to the data controller who will oversee the erasure of this data. Data which is contained within the CRM system will initially be “soft deleted” to put the data beyond use and as a failsafe for human error should the data need to be recovered. Hard copies of personally identifiable data will be shredded.
After a period of one month, all personally identifiable data that has been “soft deleted” will automatically be anonymised so it can no longer be recovered, while protecting the integrity of our systems.
Deletion of Historical Data
Data will be deleted as described above based on the following timescales:
|Customers||3 Years After Contract Ends|
|Prospective Customers||3 Years After First Contact|
|Interested Parties||3 Years After First Contact (if no response to re-opt in email)|
|Employees||3 Years After End of Employment (Pension Details held for 75 years post-employment)|
Personal Data Breaches
In the event of a personal data breach, the data controller will be alerted immediately. Details of the breach will be recorded in full and if required, reported to the relevant supervisory authority within 72 hours of becoming aware of the breach where feasible.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission;
- loss of availability of personal data.