Greengage Data Retention Policy
(for the Protection of Personal Information)
Purpose of this Data Retention Policy
Greengage must comply with its obligations under data protection laws (including GDPR, the Gibraltar Data Protection Act 2004 and the Gibraltar Proceeds of Crime Act 2015 as well as equivalent UK legislation) whenever it processes Personal Data relating to customers, suppliers, staff and any other individuals the Firm interacts with.
Greengage is required under data protection laws to ensure that Information Assets containing Personal Data are not retained in a form which enables the identification of individuals for any longer than is necessary for the purposes for which the Personal Data has been collected. Greengage must be able to justify any retention of Personal Data to the authority responsible for enforcing data protection laws in the UK, the ICO, and in Gibraltar, which is the GRA.
In practice what this means is that the Greengage must not retain the Personal Data contained within Information Assets for any longer than is necessary:
For the operational purpose that the Personal Data was collected for, and which the relevant Data Subject has been informed of (i.e. in relevant privacy notices);
In order to comply with any applicable statutory or regulatory retention requirements; or
To enable the Company to exercise its legal rights and/or defend against legal claims.
Where a statutory or regulatory retention requirement applies, or where data is relevant to an actual or potential legal claim, only the specific Personal Data which is required to be retained in order to meet the statutory/regulatory retention requirement or for a legal claim, should be retained for those purposes.
Personal Data may also be retained for a longer period if it is solely for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures which are required by data protection laws, in order to safeguard the rights and freedoms of the Data Subject.
Greengage is required to take a proportionate approach to data retention, balancing the Firm’s needs with the impact of retention on Data Subjects’ privacy. Greengage also needs to comply with all other aspects of data protection laws in relation to the Personal Data that it retains, including ensuring that its retention is fair and lawful and that it is secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Guideline data retention periods for different types of Personal Data are followed by all Staff and detailed within Greengage’s Data Retention Matrix. Earlier deletion may be appropriate in some circumstances.