Data Retention Policy

Last updated on June 1, 2020

Purpose

PayCore.io Limited, (also referred to as “PayCore.io,” “we,” “us,” or “our”), a company incorporated in England and Wales with registered number 11654625 whose registered office is at St. Martin’s House, 16 St. Martin’s Le Grand, London, Greater London, EC1A 4EN, must comply with obligations under Data Protection Laws, whenever we process Personal Data relating to our customers, vendors or any other legal individuals we interact with.

This includes the obligation not to process any Personal Data which permits the identification of Data Subjects for any longer than is necessary and the purpose of this policy is to assist us to comply with that obligation. This policy should be read alongside the Data Retention Schedule which is appended at Appendix 1 to this policy and which provides guideline data retention periods for different types of Personal Data we hold.

This policy applies to all PayCore.io customers (“you” or “your”). This policy shall be interpreted as an integral part of Customer Agreement between PayCore.io and you, even when it is not mentioned directly.

Compliance with this policy will also assist us to comply with our ‘data minimisation’ and accuracy obligations under data protection laws which require us to ensure that we do not retain Personal Data, which is irrelevant, excessive, inaccurate or out of date.

We are also required under data protection laws to inform Data Subjects about how long we will retain their Personal Data in our privacy notices.

All capitalized terms shall have the meaning set forth in clause 18 of this Policy.

Scope

This policy and the Data Retention Schedule specify the retention and destruction requirements that apply to all Personal Data, regardless of the tangible or intangible form they take. This includes, but is not limited to: first, middle and last name; title; position; employer`s details; contact information (company, email, phone, physical business address); localisation data; IP address; device fingerprint; address, ZIP or post code; date of birth; gender; any other Personal Data submitted by, sent to, or received by PayCore.io from you or your end users.

Responsibility

Compliance with this policy is overseen by the data protection officer, Mr Denys Melnykov (“Data Protection Officer”). PayCore.io is registered (registration number ZA476916) with in the Information Commissioner’s Office (ICO) and is currently listed in the data protection register.

The data protection officer may be reached via mail at this address: PayCore.io Limited, 16 St. Martin’s Le Grand, London EC1A 4EN, United Kingdom; or email address [email protected].

Your compliance with this policy is mandatory. Any breach of this policy may result in disciplinary action.

Policy

Your compliance with this policy is mandatory. Any breach of this policy may result in disciplinary action. The PayCore.io is required under Data Protection Laws to ensure that any object containing Personal Data are not retained in a form which enables the identification of individuals for any longer than is necessary for the purposes for which the Personal Data have been collected. We must be able to justify our retention of Personal Data to the authority responsible for enforcing data protection laws in the UK, the ICO.

This means that PayCore.io must not retain the Personal Data for any longer than is necessary:

For the operational purpose that the Personal Data was collected for, and which the relevant Data Subject has been informed of. Where the Personal Data is received or collected by you from third Data Subject as your end user, it is your sole responsibility to inform this third Data Subject about purpose of collection and about Personal Data processor (i.e. PayCore.io);

In order to comply with any applicable statutory or regulatory retention requirements; or

To enable PayCore.io to exercise its legal rights and/or defend against legal claims.

Where a statutory or regulatory retention requirement applies, or where data is relevant to an actual or potential legal claim, only the specific Personal Data which is required to be retained in order to meet the statutory/regulatory retention requirement or for a legal claim, should be retained for those purposes.

Personal Data may also be retained for a longer period if it is solely for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures which are required by data protection laws, in order to safeguard the rights and freedoms of the Data Subject.

We must take a proportionate approach to data retention, balancing our needs with the impact of retention on Data Subjects’ privacy. We also need to comply with all other aspects of data protection laws in relation to the Personal Data we retain, including ensuring that its retention is fair and lawful and that it is secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Guideline data retention periods for different types of Personal Data, which should be followed by all employees, are provided in the Data Retention Schedule, which is appended at Appendix 1 (the Data Retention Schedule). However, earlier deletion may be appropriate in some circumstances. For example, if PayCore.io is not actually using a record and it does not need to retain it to comply with a statutory or regulatory retention requirement or to enable PayCore.io to exercise its legal rights and/or defend against legal claims. If you believe your Personal Data is under earlier deletion case, please contact the Data Protection Officer to reconsider whether PayCore.io needs to retain such records.

We must ensure that any request received from a Data Subject asking us to delete or destroy their Personal Data under the ‘right to be forgotten’ is dealt with in accordance with Data Protection Laws.

Prior to the expiry of the retention period for the Personal Data provided in the Data Retention Schedule, the Personal Data should be reviewed by PayCore.io at regular intervals to determine whether PayCore.io should continue to retain it (or any part of it), for operational reasons, in order to comply with a statutory retention period or a regulatory obligation or for the purposes of a legal claim.

Any queries about the applicable retention period for Personal Data should be directed to the Data Protection Officer.

Deletion, destruction or anonymising data

Where there is no need to retain Personal Data any longer, it is your responsibility to ensure that the Personal Data is securely and permanently deleted or destroyed in accordance with this policy or that it is anonymised. Personal Data is anonymised where no Data Subject can be identified from the data, either from that data alone or together with other data that PayCore.io holds, has access to or may obtain access to.

Personal Data must be deleted or destroyed using one of the following secure methods:

Documents retained electronically should be deleted with a secure deletion utility that ensures that the information cannot be retrieved. Standard deletion utilities that only remove the file pointer should not be used.

Personal Data on hard drives, removable media and any similar items must be securely erased before any disposal or reassignment of the equipment. Accepted methods include utilities that meet the DoD 5220 22-M standard or by encrypting the entire contents of the medium to at least AES-256 and irretrievably deleting the encryption key.

Where Personal Data cannot be erased from equipment, it must be physically destroyed by an authorised, specialist destruction company, and certificates of destruction must be obtained.

Paper copies must be destroyed using cross-cut shredders.

You approve the destruction or deletion of the Personal Data in advance and must record it including the date (and time if relevant), the content of the Personal Data and the method of destruction or deletion. You are also responsible for receiving destruction or deletion approval from your end users.

Changes to this policy

We may update this Policy at any time by posting a revised version on the Website. It is your responsibility to check the Website regularly for modifications to this Policy. We last modified this Policy on the date listed at the beginning hereof.

Definitions and their interpretation

In this Agreement, the following definitions are used:

Definition

Interpretation

“Data

Protection Laws”

means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced

“Data Subject”

means an identified or identifiable natural person to whom Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data”

means any information relating to an identified or identifiable individual where such information is contained within data provided by Customer and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

“Website”

means any information relating to an identified or identifiable individual where such information is contained within data provided by Customer and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

Appendix A
Data Retention Schedule

Description

Retention Period

First, middle and last name

10 years

Title

10 years

Position

10 years

Contact information (email, phone, postal address etc.)

10 years

Localisation data

10 years

Device fingerprint

10 years

Registered address, ZIP or post code

10 years

Date of birth

10 years

Position, employer`s details

10 years

Any other Personal Data received from you

10 years

Do NOT follow this link or you will be banned from the site!