Personal data retention policy

Mercieca Ltd

Personal data retention and destruction policy

This policy forms part of our Data Protection and Information Security Policies. Any defined terms used in this policy that are not defined in this document may be defined in our General Data Protection Policy, and data users should read the General Data Protection Policy before reading this Policy.

We typically retain personal data for the periods set out below, subject to any exceptional circumstances (such as where information is required for actual or anticipated litigation) or requirements to comply with laws or regulations that require a specific retention period. 

In determining these retention periods, we have had regard to our legal obligations, good industry practice, the guidance of relevant UK authorities and bodies such as HM Revenue & Customs (HMRC) and the Chartered Institute of Personnel and Development (CIPD), and also tax, accounting, health and safety, and employment rules.

Our Data Protection Manager is responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction. The destruction of paper-based records must be conducted by shredding if possible. 

The destruction of electronic records must be permanent and irretrievable to the greatest extent practicable. Electronic document destruction must be coordinated with our Data Protection Manager. 

The destruction of records must stop immediately upon notification from our Data Protection Manager that a litigation hold is to begin because we may be involved in a lawsuit or an official investigation. Destruction may begin again once the Data Protection Manager releases the relevant litigation hold.

Information about customers since our last dealing with them: 

[eg, as applicable:

  • personal details including name and contact information: 7 years;
  • contractual details including the goods and services provided: 7 years;
  • family and lifestyle details: 1 year;
  • device details: 3 months;
  • user activity details and user preferences: 3 months;
  • browser history details: 3 months;
  • location details: 3 months;
  • electronic identification data including IP address and information collected through cookies: 3 months.

Information about prospective customers since our last dealing with them:

  • personal details including name and contact information: 4 years.

Information about other contacts since our last dealing with them:

  • personal details including name and contact information: 4 years.

Information about individuals who have contacted us about our clients, since our last dealing with them:

  • personal details including name and contact information: 7 years;
  • other personal details regarding their contact: 7 years.

Information about employees since our last dealing with them: 

  • personal details including name and contact information: 7 years;
  • date of birth: 7 years; 
  • gender: 7 years; 
  • marital status: 7 years; 
  • beneficiary and emergency contact information: 1 year; 
  • government identification numbers: 7 years; 
  • education and training details: 1 year; 
  • bank account details and payroll information: 1 year; 
  • wage and benefit information: 7 years; 
  • pension information:  7 years 
  • performance information: 2 years; 
  • employment details: 2 years; 
  • any other information on curriculum vitae 1 year;
  • special categories of personal data, including information that relates to an employee's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetics or health, and sex life or sexual orientation: 2 years.

Information about job applicants since our last dealing with them if not employed: 

  • personal details including name and contact information: 1 year;
  • date of birth: 1 year; 
  • gender: 1 year; 
  • marital status: 1 year; 
  • education and training details: 1 year; 
  • wage and benefit information: 1 year; 
  • employment history: 1 year; 
  • any other information on curriculum vitae 1 year;
  • special categories of personal data, including information that relates to an employee's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetics or health, and sex life or sexual orientation: 1 year.

Information about suppliers since our last dealing with them:

  • name and contact information: 7 years; 
  • contractual details including the goods and services provided: 7 years;
  • financial and payment details: 7 years.

Any questions regarding this policy or its operation should be directed to the Data Protection Manager.