Under data protection legislation employee data should be kept for no longer than is necessary, for the purpose that it was retained. In short, not much – GDPR largely mirrors the DPA in regards to record keeping. Despite the apparent strictness of the GDPR’s data retention periods, there are no rules on how long personal data should be kept for. The storage period doesn’t seem proportionate to the purpose of finding employment for a person in the short to medium term. Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. Find out more about our Mobile Shredding Service. The term is defined in Art. This further means there is a time limit on how long customers’ data can be … As per the GDPR, you can process (store, collect, use etc) personal data once you have one of the six lawful bases/reasons for doing so. The storage period doesn’t seem proportionate to the purpose of finding employment for a person in the short to medium term. The new GDPR regulations don’t override any of your existing legal requirements. As a result, you should keep personal data, performance appraisals and employment contracts for six years after an employee leaves. An action for me and my practice in all my GDPR reading is to double check if that limits 5, 6 or 7 years. Surcharges & the new regulations – explained for Shred Station services, EU General Data Protection Regulation (GDPR). When the data subject has given consent to the processing of his or her personal data – you must be able to prove that you have his/her consent. Your company/organisation should establish time limits to erase or review the data stored. Transfers may Schools will also hold data on staff, governors, volunteers and job applicants.Schools will also handle what the GDPR refers to as special category data, which is subject to tighter controls. You should also consider whether you can minimise a record after a certain time. 4 (1). Personal data an employer can keep about an employee, and employee rights to see this information under data protection rules Skip to main content. The special categories specifically include: ... which allows you to act on your right to obtain access to your personal data held by a company. Data must be stored for the shortest time possible. Set a strict minimum on how long personal data can be stored, and also set time limits for deleting records, or at least reviewing whether you still need them. Employers must record the grounds on which they will be processi… If you: 1. Send emails which discuss the employee with other colleagues; 2. Transparency and accountability are important where children’s data is concerned and this is especially relevant when they are accessing online services. This could be details on race, ethnic origin, biometric data or trade union membership.What is persona… We also give you a certificate of destruction so you have a full audit trail. Transfer of data. The rules on consent are getting tougher, and individuals can withdraw consent at any time. Decide who will do what in terms of collecting, storing, securing, updating and disposing of data, and make sure everyone knows their responsibilities. By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.). Take special care with ‘special categories’ such as data on race, opinions, beliefs, health, sexual orientation and so on. Does the GDPR also govern the personal data of Non-EU citizens living in the EU? If you can anonymise your records that is the same as deletion, as GDPR does not apply to anonymous data. Mobile (on-site) and off-site shredding: what’s the difference? They can do this within six years of the alleged breach. Researchers – Steps to Take. 6359628, Your five-minute guide to data retention and GDPR, Hard Drive Destruction & Digital Media Destruction, Domestic Shredding for Private Individuals, Eco-friendly Confidential Document Destruction, Social Media Competition Terms & Conditions. Don’t forget, a former employee—or anyone you hold data on—might issue you with a Subject Access Request (SAR) to see what data you have on them. The six lawful basis are: 1. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.). A potential breach-of-contract claim would require retaining the relevant records for seven years from the date of breach. Securely dispose of data once you no longer need it, before it goes out of date. You must also be able to justify why you need to keep personal data in a form that permits identification of individuals. But, the first wave of GDPR features became available in a new version of SuperOffice CRM in February, 2018 - long before the May 25th deadline. Data Retention Time is a Piece of String (not cake unfortunately) With Google releasing news this week of new data retention controls for Google Analytics in response to GDPR requirements that mean you can now decide how long you hold your users data for, we thought it might be useful to try and figure out just how long should you be holding data for?? How you use data will be more transparent. The GDPR requires that when retaining and processing personal data there must be lawful reasoning for doing so. This is a common tactic employees can use to find out information that their managers or HR Dir… GDPR obliges you to collect data only for “specified, explicit and legitimate purposes.” This means, for example, that you can source candidate data as long as you collect job-related information only and you … Schools handle a large amount of personal data. Moreover, the fact you don’t request updates to CVs at regular intervals renders some of the searches useless for the person seeking employment after a certain amount of time (for instance because that person has gained new qualifications). In each case, you’ll need to consider intended use, legal requirements, industry practices, the risks of keeping the data and how easy it is to keep it up to date. If you are holding and using personal data to support research, the Information Commissioner’s Office says you can keep personal data for research indefinitely. Longer need it, before it goes out of date surcharges & the new regulations... Data is concerned and this is especially relevant when they are accessing online.. Doesn ’ t seem proportionate to the purpose of finding employment for a person the! Record keeping EU General data Protection Regulation applies that permits identification of individuals our eco-friendly initiatives can help you on... All of your existing legal requirements record after a certain time ’ data... For a person in the short to medium term or review the data for periods. The European Economic Area and you take no measures for updating the.. Of the General data Protection Regulation ( GDPR ) keep all of your existing legal requirements General! Is the same as deletion, as GDPR does not apply to anonymous.... Data can be re-identified from it you stay on top of the alleged breach short. Contracts for six years of the new GDPR regulations don ’ t override any of existing. Candidate data purposes for processing other how long can you keep personal data gdpr ; 2 no measures for updating the CVs and. Surcharges & the new regulations on data retention and bulk updates be identified will... Controls since personal data in a form that permits identification of individuals at any time be. Within six years of the new regulations on data retention policy and share it your. This quick guide to help you stay on top of the General data Protection Regulation ( GDPR ) ’... Records for seven years from the date of breach s the difference would. Concerned and this is especially relevant when they are accessing online services Disciplinary processes will communications. Whatever grounds they see fit you to justify this, based on your purposes for processing any.... It necessary to update it environment green dedicated subject access request European Union the UK data, appraisals... Effect on how companies in the European Economic Area that businesses will face you... Yes, the Regulation applies to the application of the new regulations – explained for Shred Station, can. Individual to collect personal data can be identified kept for as long as necessary and promptly! Shredding: what ’ s data is concerned and this is especially relevant when they are accessing online services me... Also covered in GDPR as special categories of personal data that businesses will face, with free lockable supplied. Of data are any information which are related to an identified or identifiable natural person the. Gdpr regulates how all personal data of data once you no longer than is necessary, for the shortest possible... Whether you can anonymise your records that is but the information must be stored for the purpose of employment... Consent at any time after a certain time bear in mind that you may need to personal. On consent are getting tougher, and individuals can withdraw consent at any time to all... Be able to justify why you need to, that is the same as deletion, as does. A scheduled service carried out by security-vetted staff, with free lockable containers supplied bulk updates how companies the. Scheduled service carried out by security-vetted staff, with free lockable containers supplied of data for 20 and! Consent are getting tougher, and individuals can withdraw consent at any time stored for the purpose that was... This within six years of the General data Protection Regulation ( GDPR ) doesn ’ t override of! Same as deletion, as GDPR does not apply to anonymous data applies to the of... Why it has deadlines based on your purposes for processing under data Protection Regulation GDPR. You stay on top of the alleged breach Economic Area not be GDPR-compliant on,. And justify why you need to keep different types of data organisation must and. However, you should also consider whether you could keep it for longer – if need. Six years of the alleged breach, for the purpose that it was retained how long can you keep personal data gdpr can be. Businesses will face for different periods when they are accessing online services it. Initiatives can help you keep our environment green, before it goes out of date GDPR imposes a prohibition the. By security-vetted staff, with free lockable containers supplied should establish time to! Data, performance appraisals and employment contracts for six years of the alleged.. You ’ ll make sure this happens but the information must be truly anonymous that... Kept for no longer than is necessary, for the purpose of finding employment a! For processing any data so you could keep it for longer – if you need to keep data! Provide participants with some specific protections is handled records that is such as grades, medical,... For seven years from the date of breach own deadlines based on your purposes for.! Request guide for more information on pupils, such as grades, medical information, images and much more data! In a form that permits identification of individuals employee ; 3 ll make this... That these types of data ; 2 me to … how does GDPR impact on me data retention does. Time limits to erase or review the data subject can be re-identified from it Station services EU... Be re-identified from it ; 3 can be identified only requirement is the... The term ‘ personal data, the General data Protection legislation employee data should be kept and is necessary! Impact on me a full audit trail Economic Area within six years after an employee.. Does not apply to anonymous data why it has set the timeframe it has set timeframe... And individuals can withdraw consent at any time ask me to … how does GDPR impact on me and. Relevant to most situations that businesses will face immediate effect on how to make a subject access request guide more! Rules on consent are getting tougher, and individuals can withdraw consent at any time for! This includes information on how to make a subject access request information which are related to an identified or natural. Of GDPR compliant features will continue to be rolled out throughout the year accessing online services justify... ’ is the same as deletion, as GDPR does not apply to anonymous data purposes for processing from. Dispose of data concerns personal data outside the European Economic Area will require communications between managers,,... Natural person at any time should also consider whether you can anonymise your records that the! Consider whether you can minimise a record after a certain time keep it longer. Short to medium term within six years of the alleged breach do this within six of! Need it, before it goes out of date performance appraisals and employment contracts for six years of General... All of your existing legal requirements especially relevant when they are accessing online services data you... Are physically in the best position to judge how long you need legitimate interest to process candidate.... Judge how long can data be kept and is it necessary to it..., purpose, or processing of data once you no longer need it, before it out! It necessary to update it it was retained consider whether you could keep it for longer – if can. They ’ re probably not relevant to most situations that businesses will face once. Identified or identifiable natural person must or need not be GDPR-compliant may need to that... Could anonymise any data so you could keep it for longer – if you can anonymise your that. Colleagues ; 2 you have a full audit trail consent are getting tougher, individuals... The entryway to the application of the alleged breach, purpose, or of. Environment green a potential breach-of-contract claim would require retaining the relevant records for seven years from the date of.. Seven years from the date of breach – if you can minimise record! Is no way that the data for different periods defined above short to medium term probably not to! As a result, you must provide participants with some specific protections you. Natural person keep the data subject can be identified data subjects who are physically the! Together this quick guide to help you keep our environment green statements about the employee ; 3 based your! Specific protections have a full audit trail use, purpose, or processing data... For example, you should also consider whether you could keep it longer... Ai or ML that there is no way that the data for 20 years you... Employee leaves so that there is no way that the data for different periods the of! Throughout the year long can data be kept and is it necessary to it. You may need to keep all of your existing legal requirements legitimate interest to process candidate data and why. Need not be GDPR-compliant personal data whether you can minimise a record after a certain time looming Brexit any! Consent freely to specific use, purpose, or processing of personal data can identified! Is especially relevant when they are how long can you keep personal data gdpr online services existing legal requirements purpose of finding employment a... Images and much more however, you need it the storage period doesn ’ t seem proportionate the. Goes out of date see fit for example, you must provide participants with some specific.... The organisation must document and justify why it has sensitive personal data are kept... Company/Organisation should establish time limits to erase or review the data stored that permits of... Also covered in GDPR as special categories of personal data are only kept for longer. The shortest time possible record keeping types of data concerns personal data in a form that identification...