Data Retention Policy.
Purpose
This Data Retention Policy outlines how Astreo HR retains, reviews, and securely disposes of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The purpose of this policy is to ensure that personal data is not kept longer than necessary and is handled in a secure and compliant manner throughout its lifecycle.
Scope
This policy applies to all personal data processed by Astreo HR, including data relating to:
- Clients and prospective clients
- Employees, contractors, and associates
- Candidates and HR-related data processed on behalf of clients
- Website users and enquiries
Principles of Data Retention
We follow these key principles:
- Personal data is retained only for as long as necessary for its purpose
- Retention periods are based on legal, regulatory, and business requirements
- Data is securely deleted or anonymised when no longer required
- Regular reviews are conducted to ensure compliance
Retention Periods
Enquiries / Consultation Requestions
Purpose: Responding to initial enquiries
Retention Period: Up to 12 months from last contact
Client Contact Details
Purpose: Managing client relationships
Retention Period: Duration of contract +6 years
Client HR Data (processed on behalf of clients)
Purpose: Delivery of HR services
Retention Period: As agreed in client contract (typically duration of contract +6 years)
Contracts and Agreements
Purpose: Legal and financial record-keeping
Retention Period: 6 years after contract ends
Financial Records (invoices, payments)
Purpose: Tax and accounting obligations
Retention Period: 6 years (as required by law)
Marketing Data
Purpose: Sending communications (with consent)
Retention Period: Until consent is withdrawn or after 24 months of inactivity
Recruitment Data (unsuccessful candidates)
Purpose: Recruitment processes
Retention Period: Up to 12 months after recruitment ends
Employee Records
Purpose: Employment administration
Retention Period: Duration of employment +6 years
Sub-contractor / interim consultant data
Purpose: Administration of subcontractors and interims
Retention Period: Duration of contract +6 years
Website analytics
Purpose: Improving website performance
Retention Period: Up to 26 months
Special Category Data
Where we process sensitive personal data (e.g. health, disciplinary, or diversity data), we will:
- Apply stricter retention controls
- Retain only for as long as strictly necessary
- Ensure enhanced security measures are in place
Data Review
We conduct periodic reviews of stored data to:
- Identify data that is no longer required
- Ensure retention periods are being followed
- Maintain data accuracy and relevance
Data Disposal
When data reaches the end of its retention period, it will be:
- Securely deleted from electronic systems
- Permanently erased from backups where feasible
- Shredded if in physical format
We ensure that disposal methods prevent unauthorised access or recovery.
Legal and Regulatory Requirements
In some cases, we may retain data longer than stated if required to:
- Comply with legal obligations
- Resolve disputes
- Enforce agreements
Responsibilities
Astreo HR is responsible for implementing and maintaining this policy.
All staff and contractors must:
- Follow retention guidelines
- Ensure data is not kept unnecessarily
- Report any concerns regarding data handling
Third-Party Data Processing
Where third parties process data on our behalf, we ensure:
- Retention periods are defined in contracts
- Data is returned or deleted upon termination of services
Policy Review
This policy will be reviewed regularly and updated to reflect legal, regulatory, or operational changes.
Contact
For questions about thie policy or data retention practices, please contact:
Marcelle Stewart, Managing Director
Astreo HR Limited, Unit 1, The Cam Centre, Wilbury Way, Hitchin, SG4 0TW
