Last Updated at 2024-Jan-18

1.1 Purpose

This Policy sets out the type(s) of personal data held by the Company, the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

1.2 Scope

This policy applies to all persons within the Company (meaning permanent, fixed term, temporary staff and sub-contractors engaged with the Company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary or contractual action.

1.3 Policy

This policy sets out the obligations of “Brain Payroll UK Limited” (hereinafter referred to as the "Company") regarding retention of personal data collected, held, and processed by the Company in accordance with General Data Protection Regulation ("GDPR").

The GDPR defines "personal data" as any information relating to an identified or identifiable natural person (a "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The Company only ever retains records and information for legitimate or legal business reasons and always complies fully with EU data protection laws, guidance and best practice.

1.4 Objectives

The GDPR impose obligations on the Company, as a Data Processor, to process personal data in a fair manner which notifies data subjects of the purposes of data processing and to retain the data for no longer than is necessary to achieve those purposes.

Summary of the Company's objectives and principles in relation to Data Retention are as follows:

• Process the personal data on client servers through Remote desktop and Virtual desktop Infrastructure (VDI).
• All of the work is done on client servers, any exception can be mentioned in the data processing agreement, and controls are in place so company staff cannot download any data on Company premises until or unless it's agreed and mandatory for processing purposes.
• Any server managed by the company, where they are responsible for the management the adequate Data Leak Prevention controls and where possible, automations are in place.
• If company receives any data from the client or download it from their servers, it's store on an encrypted (AES 128/256) storage location.
• Set out limits for the retention of personal data and ensure they are complied with
• Ensure the safe and secure disposal of confidential data and information assets
• Ensure that records and documents are retained for the legal, contractual and regulatory period stated in accordance with each bodies rules or terms.
• Mitigate against risks or breaches in relation to confidential information.
• Data Leak Prevention (DLP) controls are in place, which includes technical measures (like VDI Tools) as well as Physical measures (like no internet or camera phones are allowed with-in data processing room)

1.5 Responsibilities

Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments' activities, namely to ensure Records Retention Policy that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy

Where a DPO has been designated, they must be involved in any data retention processes and records or all archiving and destructions must be retained. Individual employees must ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the Company's protocols.

1.6 Retention Period

• IT Department works closely with the Operations team to understand how long the data has to be stored and when it has to be deleted (in line with the work order/agreement).
• Any records or evidence of incident should be retained for at least 3 years and should be reviewed quarterly. It will be disposed by the decision of ISMS Team.
• Any records where client’s hosts the personal data, is not stored on BrainPayroll servers or office premises.
• Any records where client’s hosts the personal data, is not stored on BrainPayroll servers or office premises.
• Any records where client’s hosts the personal data, is not stored on BrainPayroll servers or office premises.

Client Data

Data Type	Retention Period	Why is it collected	Who can access	Security	Final Disposition
PII (Excel, word, pdf files)	One month	Payroll Process	Data Processing Team	Stored on encrypted location and Password protected	Secure deletion
Database	NA	Debugging purpose	Development Team	Access though SQL Management studio	Remove the access immediately after purpose completion
Masked Database for production issue.	According to debugging time	Debugging purpose	Development Team	Data mask and download only after client’s approval. Download only on secure location by IT team, Access allows to developer team on password protected system.	Secure deletion

Payroll Application logs Information

Data Type	Retention Period	Why is it collected	Who can access	Security	Final Disposition
Payroll application audit logs	3 years	For investigation of incidents with third external application.	Production support team	Stored in database at UK server.	Secure deletion

Incident & Evidence

Data Type	Retention Period	Why is it collected	Who can access	Security	Final Disposition
Incident Records and Evidence	3 years	Minimize the impact on business operations	Compliance officer and management	Stored in lockable filing cabinet – CS own access to files If stored as e-copy; access will be password protected	Confidential shredding OR Safe/secure deletion