Brighton office: 01273 741400              Swindon office: 01793 626362

Find Out More

Data Retention Policy

CSnotepad Data Retention Policy

1. Introduction

CSnotepad is committed to complying with all applicable laws and regulations in the handling of information, including Data Protection laws. We will apply appropriate technical and organisational measures to protect customer and employee personal data at all times.

This policy sets out how CSnotepad manages the retention, storage, and destruction of data, including but not limited to personal data. It should be read alongside our Data Protection Policy. Its purpose is to ensure that data is only kept for as long as necessary, is disposed of securely, and is handled consistently across the business.

2. Scope

This policy applies to all business data, whether held in hard copy or electronically. Its purpose is to ensure that data is retained only for as long as necessary to meet our legal, regulatory, and contractual obligations, while protecting the rights of individuals under Data Protection law.

In practice, this means:

  • Data must not be kept longer than necessary;

  • Data must not be deleted prematurely;

  • Data must always be disposed of securely.

3. Definitions

For the purposes of this policy, the following terms apply:

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Data Subject: The individual whose personal data is being processed.

  • Data Controller: The person or organisation that determines how and why personal data is processed.

  • Data Processor: The person or organisation that processes personal data on behalf of a Data Controller.

  • Processing: Any operation performed on personal data, whether automated or not (e.g. collection, storage, use, disclosure, deletion).

  • Personal Data Breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

  • Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning a person’s health, sex life, or sexual orientation.

A full glossary of terms is available in our Data Protection Policy.

4. Roles and Responsibilities

All employees, contractors, and third parties who process data on behalf of CSnotepad are responsible for complying with this policy.

The Data Protection Officer (DPO) can be contacted at info@csnotepad.co.uk or by post to:
Data Protection Officer
CSnotepad
The Offices
57 Newtown Road
Brighton
BN3 7BA

The DPO is responsible for maintaining this policy and ensuring compliance.

Department Heads must ensure that documented procedures are in place to comply with this policy within their areas of responsibility.

All employees must familiarise themselves with and follow the most up-to-date version of this policy.

All third-party processors engaged by CSnotepad must operate under a written Data Processing Agreement (DPA) to ensure compliance with Data Protection law.

5. Policy

  • Information and records (hard copy and electronic) must be retained for the minimum periods set out in our Data Retention Guidelines (see Appendix 1).

  • Before destruction, records must be reviewed to check whether there are legal, regulatory, or business reasons to retain them longer (e.g. potential litigation, ongoing complaints, or regulatory investigations).

  • Records must be securely deleted at the end of the retention period or earlier if required under Data Protection law.

5.1 Suspension of Destruction
If a claim, audit, investigation, subpoena, or litigation is reasonably foreseeable, the DPO (or a nominated senior manager) will suspend destruction of any relevant records until the matter is resolved.

5.2 Retention Periods
Data must only be kept for as long as necessary to fulfil our contractual, legal, and regulatory obligations. For customer data, this includes retaining email data for up to six years in line with our Terms and Conditions. Full retention periods are listed in Appendix 1.

5.3 Methods of Destruction
All data must be destroyed in a secure manner that preserves confidentiality.

  • Hard copy records must be disposed of in confidential waste bins provided throughout the business.

  • Electronic records must be securely wiped in line with recognised industry standards (e.g. NCSC guidelines) so they cannot be restored.

  • Any electronic equipment must be securely wiped and, where appropriate, physically destroyed before disposal.

5.4 Duplicate Information
Duplicate records must not be retained unnecessarily. Where information has been shared across departments, all copies must be identified and deleted in line with the Data Retention Guidelines.

6. Training

  • All new employees will receive training on their responsibilities under this policy as part of their induction.

  • Refresher training will be provided at least annually, and whenever there are significant changes to data retention or Data Protection law.

  • Additional role-specific training will be given where employees handle higher-risk personal data (e.g. HR, Accounts).

  • Training records will be maintained to demonstrate compliance.

7. Monitoring Compliance

  • Compliance with this policy will be monitored through an annual Data Protection Compliance Audit, led by the DPO.

The audit will check, at minimum:

    • Adherence to retention periods set out in Appendix 1;

    • Correct and secure storage of personal data;

    • Secure and timely deletion of personal data;

    • Secure disposal of hard copy and electronic records.

Department Heads are responsible for addressing any deficiencies identified in their areas and must agree a remediation plan with the DPO within a reasonable timeframe.

The DPO will report any significant deficiencies to senior management and monitor progress until resolved.

Additional spot checks may be conducted where specific risks are identified.

8. Review

This policy is owned by the Data Protection Officer (DPO) and will be reviewed at least annually, or sooner if:

    • Relevant legislation or regulatory guidance changes;

    • Operational practices change in a way that affects data retention;

    • Issues are identified through audits or incidents.

All reviews and updates will be approved by senior management.

Schedule 1 – Data Retention Guidelines

Client Personal Data:

Where CSnotepad acts as a Data Controller, all personal data will be protected, retained, and deleted in accordance with our contractual agreements and Data Protection legislation. Where CSnotepad acts as a Data Processor, personal data will be protected and treated in line with the contractual terms agreed with the Data Controller and applicable Data Protection legislation.

Personal and sensitive data will only be retained for as long as it is required to deliver our services, or until we are instructed to delete it. In line with our Terms and Conditions, customer email data may be retained for up to six years to meet our legal and contractual obligations.

Where data is processed for marketing purposes, it will be retained until you opt out of receiving such communications or until it is deleted in line with our Marketing Policy.

As part of providing our services, we may also process data under our legitimate business interests in ways that would reasonably be expected and which do not materially impact your rights, freedoms, or interests.

Central Business Records:

Accounting and financial records will be retained for a minimum of six years, unless a longer period is required under contractual agreements or statutory obligations.

Complaints records will be retained for three years following resolution, to ensure evidence is available should any matter be escalated to a regulator or legal authority.

Records relating to legal cases or claims will be retained on a case-by-case basis, as determined by the Data Protection Officer in consultation with senior management, in accordance with Data Protection legislation.

HR Records:

CSnotepad will retain employee records in line with Chartered Institute of Personnel and Development (CIPD) guidance and statutory requirements.

Records relating to income tax, national insurance, HMRC correspondence, statutory sick pay, statutory maternity pay, and parental leave will be retained for three years from the end of the tax year to which they relate.

Records relating to salary details, retirement benefit scheme changes, redundancy, and pensions will be retained for six years from the end of the tax year to which they relate.

Application forms and interview notes for unsuccessful applicants will be retained for three months after the conclusion of the recruitment process, after which they will be securely deleted.

Website Cookies:

CSnotepad uses cookies to support the functionality of our website, analyse usage, and assist with marketing activities. We do not collect personal information such as names or addresses through cookies.

Full details of the cookies in use, their purpose, and their retention periods are set out in our Cookie Policy, which can be accessed via the website footer or at www.csnotepad.co.uk/cookie-policy.

Find out if CSnotepad is right for your business...

Fill in your details and one of our team will get in touch for a quick chat about what you’re looking for and how we can help.

  • Friendly, UK-based support
  • Tailored to your business needs
  • Simple, flexible plans

By clicking Get in touch you hereby agree to your details being held by Call Solution Ltd (trading as CSnotepad) for the purposes of contacting you via email and/or telephone regarding the services it provides.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*