DATA RETENTION POLICY

Contents
Definitions
Introduction
Contact details
Aims, objectives, and scope
Erasure and restriction of processing rights
Data disposal
Data retention
Implementation

Definitions

Client means any person who has signed up to TR’s services, regardless of whether TR makes a claim with Her Majesty’s Revenue and Customs (HMRC).
Data in this Policy means personal data, which is any information relating to a person.
Delete means the removal of all or part of a client file (including data) from TR’s databases and records and those of its relevant third-party processors.
GDPR means the EU Data Protection Regulation (EU) 2016/679 which is directly effective in the UK until 31 December 2020. After that, it means the UK GDPR (which is effectively the rules in the Data Protection Act 2018).
Person means what the GDPR calls a “data subject”. People means more than one person. The GDPR defines a data subject as “an identifiable natural person, someone who can be identified, directly or indirectly”.
TR means us i.e. Tax Returned Limited, an English company, number 08828062, whose registered office is 207 Regent Street, 3rd Floor, London, England, W1B 3HH.

Introduction

This Policy sets out TR’s data retention obligations and policies. This Policy applies to all data (except for employee, applicant, or service provider data) dealt with by TR (and by third-party data processors processing data on TR’s behalf).

Under the GDPR, TR must keep data in a form which permits the identification of people for no longer than is necessary for the purposes for which TR processes the data. In certain cases, controllers may store data for longer periods (although those cases do not apply to TR).

The GDPR also includes the ‘right to erasure’, also known as ‘the right to be forgotten’. In other words, people have the right to have their data erased (and to prevent the processing of that data) in the following circumstances:

1. Where the data are no longer required for the purpose for which they were originally collected or processed.
2. When the person withdraws their consent (if the data is held based on that person’s consent).
3. When the person objects to the processing of their data and TR has no overriding legitimate interest or legal obligation.
4. When the data are processed unlawfully (i.e. in breach of the GDPR).
5. When TR must erase the data to comply with a legal obligation.
6. Where the data are processed for the provision of information society services to a child (which is not applicable to what TR does).

This Policy sets out the types of data held by TR for delivery of TR’s services, the periods for which that data are retained by TR, the criteria for establishing and reviewing such periods, and when and how data are to be deleted or otherwise disposed of.

Contact details

TR has a privacy manager called the Data Protection Manager. For further information on TR and other aspects of data protection and compliance with the GDPR, please contact the Data Protection Manager at: dataprotection@getyourtaxreturned.co.uk

Aims, objectives, and scope

The primary aim of this Policy is to set out clearly for all to see limits for TR’s retention of data so that TR is accountable and transparent. TR stores data in the following ways:

• On servers belonging to TR (or its third-party data processors).
• On computers belonging to TR (or its third-party data processors).
• On mobile phones belonging to TR (or its third-party data processors).

Erasure and restriction of processing rights

All data held by TR is held in accordance with the requirements of the GDPR and people’s rights under it, as set out in TR’s Privacy Policy (link here). TR keeps people fully informed of their rights, what data TR holds about them, how TR uses that data, and how long TR will hold that data. People have the right:

1. To request that TR delete their data (notwithstanding the retention periods otherwise set out in this Policy); and
2. To restrict TR’s use of their data.

TR will comply with erasure requests where it does not have an overriding reason, listed in this Policy, to retain the person’s data.  Please note that:

1. TR has a legal obligation to retain client records for five years after the end of the business relationship with a person under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
2. TR will retain data for just over six years from the end of the contract with a person where it has filed tax documents with HMRC, so it is available for the establishment, exercise, or defence of legal claims related to TR’s performance of contracts with clients. The six-year period is based on sections 2 and 5 of the Limitation Act 1980 and we need some time after that to perform the deletion.

Please consult the ICO’s website (linked here) if you wish to verify TR’s position.

Data disposal

When the data retention periods set out in this Policy come to an end, TR will anonymise a person’s data unless that person has requested erasure or restriction of processing, in which case TR will delete that person’s data. When a person exercises their right to restrict TR’s processing of their data or to have their data erased, where not in contravention of TR’s legal obligations, TR will delete, destroy, or otherwise dispose of the data as follows:

• TR will securely delete data stored electronically (including all backups of it) from TR’s servers, mobile phones, and computers.
• TR will securely shred data stored in a physical format.

Where a person provides to TR an original document (such as a passport or driver’s licence), TR will not retain the original document. TR will instead make a digital copy and store that copy on TR’s servers in accordance with this Policy. TR will return the original document to the person who provided it.

TR does not retain physical copies of documents from HMRC. TR scans documents from HMRC and stores the documents electronically. TR shreds any physical documents received from HMRC within one month of receipt. People cannot request access to original physical copies of correspondence from HMRC.

The Data Protection Manager is responsible for processing all ‘right to be forgotten’ requests and will process requests in accordance with this Policy and the data retention periods set out below.

Data retention

As stated above and as required by law, TR shall not retain any data for any longer than is necessary considering the purposes for which that data is collected, held, and processed.

TR considers these factors when establishing and/or reviewing retention periods:

• TR’s objectives and requirements.
• The type of data in question.
• The purposes for which the data in question was collected, held, and processed.
• TR’s lawful basis for collecting, holding, and processing that data.
• The category or categories of person to whom the data relates.

If a precise retention period cannot be fixed for a data category, TR will establish criteria by which the retention of the data will be determined. This ensures that the data in question, and the retention of that data, can be regularly reviewed against those criteria. Different types of data, used for different purposes, will necessarily be retained for different periods (and their retention periodically reviewed), as set out in the table below.

Notwithstanding the following defined retention periods, certain data may be deleted or otherwise disposed of before expiry of the defined retention period where a decision is made within TR to do so (whether in response to a request by a person or otherwise).

Implementation

This Policy is effective as of 17/7/2020. This Policy applies to all data collected before or after this date.