Retention policy

Record of Processing Activities Under Article 30 (GDPR)

Activities for data controllers

This Retention Policy describes how Methods Business and Digital Technology Limited and its subsidiaries and affiliates, to include Core Azure Limited (“collectively “Methods”), processes personal data. Methods recognises that Article 30 of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (upon enactment) imposes documentation requirements on controllers and processors of data. This Policy is company confidential information, but Methods will provide it to the appropriate supervisory authority on request as required by Article 30.

Data Controller Details:

Name: Methods Business and Digital Technology Limited

Address: Saffron House, 6-10 Kirby Street, London, EC1N 8TS

Telephone Number: +44(0)20 7240 1121

Website: https://methods.co.uk/ and http://www.coreazure.com/

Data Privacy Manager: Mark Hewitt

Categories of data subjects

Methods collects personal data from the following categories of data subjects:

  • Methods’ customers
  • Methods’ vendors or suppliers
  • Methods’ employees and job applicants.

Categories of personal data

Methods collects the following categories of personal data about customers:

  • Personal details including name and contact information
  • Device details
  • Browser history details
  • Location details
  • Electronic identification data including IP address and information collected through cookies
  • Financial details
  • High Level Design, Low Level Designs, Configuration documentation
  • Contractual details including the services provided.

 

Methods collects the following categories of personal data about employees and job applicants:

  • Personal details including name and contact information
  • Date of birth
  • Gender
  • Marital status
  • Beneficiary and emergency contact information
  • Government identification numbers
  • Education and training details
  • Bank account details and payroll information
  • Wage and benefit information
  • Performance information
  • Employment details
  • Special categories of personal data, including data relating to an employee’s
    • racial or ethnic origin
    • religious or philosophical beliefs
    • health.

 

Methods collects the following categories of personal data about vendors or suppliers:

  • Name and contact information
  • Financial and payment details
  • Device details
  • User activity details and user preferences
  • Browser history details
  • Location details
  • Electronic identification data including IP address and information collected through cookies.

Purposes of data processing  

Methods collects and processes personal data about customers for the following purposes:

  • Maintaining and enhancing Methods’ services
  • Providing services and customer management
  • Account management
  • Direct marketing
  • Supporting network and system security
  • Auditing
  • Detecting and preventing fraud
  • Complying with legal obligations
  • Conducting web analytics.

 

Methods collects and processes personal data about employees and job applicants for the following purposes:

  • Recruitment and selection of employees
  • Personnel management
  • Workplace monitoring
  • Human resources administration including payroll and benefits
  • Complying with legal obligations and reporting requirements
  • Education, training, and development activities.

 

Methods collects and processes personal data about vendors or suppliers for the following purposes:

  • To obtain products and services
  • Vendor administration, order management, and accounts payable
  • Evaluating potential suppliers
  • Deliver Services.

Categories of personal data recipients  

Methods discloses personal data to the following categories of recipients, some of which may be located in third countries or may be international organisations as defined in Article 4(26) of the GDPR:

  • Methods’ parent company, subsidiaries, and affiliated entities
  • Business partners
  • Auditors and professional advisors, such as lawyers and consultants
  • Law enforcement officials to include the police and Information Commissioner’s Office
  • Third-party service providers, such as providers of:
    • IT system management
    • information security
    • human resources management
    • payroll administration; or
    • Pension provision and administration
    • Health care provision.

Methods makes limited personal data transfers subject to the second subparagraph of Article 49(1) which are necessary for Methods’ compelling legitimate interests. Methods provides appropriate safeguards for these limited personal data transfers through contractual clauses.

Personal data retention periods

Except as otherwise permitted or required by applicable law or regulation, Methods only retains personal data for as long as necessary to fulfil the purposes Methods collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, Methods considers the amount, nature, and sensitivity of personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for processing the personal data, whether the employer can fulfil the purposes of processing by other means, and any applicable legal requirements.

Methods typically retains personal data for the periods set out below, subject to any exceptional circumstances or to comply with laws or regulations that require a specific retention period:

Information about customers:

  • Personal details including name and contact information: 7 years
  • Family and lifestyle details: 7 years
  • Electronic identification data including IP address and information collected through cookies: 7 years
  • Contractual details including services provided: 7 years.

 

Information about employees and job applicants:

  • Personal details including name and contact information: 7 years
  • Recruitment – 24 months
  • Conditions of employment – 7 years after date of termination.

Payroll Administration:

  • Salary data: 7 years from the end of the financial year to which they relate
  • Payroll data: 7 years from the end of the financial year to which they relate
  • Individual employees personal payroll history: 7 years
  • Pensions Administration: 7 years

Disciplinary

  • Records of formal disciplinary actions in employee file. Retain both paper and electronic for review 3 years after last action
  • Grievances Records of formal grievances on employee file. Retain both paper and electronic for review 3 years after last action
  • Termination of employment Electronic: Records relating to individual employee files: Retain 3 years

 

Employee Files from date of leaving Methods:

  • Date of birth: 3 years
  • Gender: 3 years
  • Beneficiary and emergency contact information: 3 years
  • Government identification numbers (passport, birth and marriage certificate etc.): 3 years
  • Education and training details: 3 years
  • Bank account details and payroll information: 7 years
  • Wage and benefit information: 7 years
  • Performance information: 3 years
  • Employment details: 3 years
  • Special categories of personal data, including information that relates to an employee’s racial or ethnic origin, political opinions and health: 3 years.

 

Information about vendors or suppliers:

  • Name and contact information: 10 years
  • Financial and payment details: 10 years.

Technical and organisational security measures

Methods has implemented the following technical and organisational security measures to protect personal data:

  • Encryption of personal data
  • Segregation of personal data from other networks
  • Access control and user authentication
  • Employee training on information security
  • Written information security policies and procedures.

Changes to this Retention Policy

Methods reserves the right to amend this Retention Policy from time to time consistent with the GDPR and other applicable data protection requirements.

Effective Date:

5 April 2018

Last modified:

22 October 2020

Retention policy

(For data processors)

This Retention Policy describes how Methods processes personal data. Methods recognises that Article 30 of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (upon enactment) imposes documentation requirements on controllers and processors of data.

Data Processor Details:

Name: Methods

Address: Saffron House, 6-10 Kirby Street, London, EC1N 8TS

Telephone Number: +44(0)20 7240 1121

Website:  www.methods.co.uk and www.coreazure.com

Data Privacy Manager:  Mark Hewitt

Categories of processing

Data Processor processes personal data on behalf of its Customers and Suppliers for the following purpose(s):

  • Research and analytics
  • Product development
  • Direct marketing
  • Professional and advisory services
  • IT system management
  • Information security
  • Human resources management
  • Payroll administration
  • Pension plan administration
  • Managed Services.

Technical and organisational security measures

Data Processor has implemented the following technical and organisational security measures to protect personal data:

  • Encryption of personal data
  • Segregation of personal data from other networks
  • Access control and user authentication
  • Employee training on information security
  • Written information security policies and procedures (ISO 27001 and Cyber Essentials).

Changes to this Retention Policy

Methods reserves the right to amend this Retention Policy from time to time consistent with the GDPR and other applicable data protection requirements.

Effective Date:

5 April 2018

Last modified:

22 October 2020

Any questions?

Please contact us on business.assuranceteam@methods.co.uk or call us on 020 3795 5680