Introduction: our commitment
We are committed to ensuring that all personal data is handled, stored, processed and used (“processed”) responsibly, fairly and in compliance with all applicable personal data protection laws, including the General Data Protection Regulation (“GDPR”) (“Data Protection Laws”), which includes the retention of data in accordance with Data Protection Laws.
What is personal data?
Personal data means any information relating to an identifiable living person (“Data Subject”) who can be directly or indirectly identified in particular by reference to an identifier. See our Privacy Notice (separate document) for examples and further explanation.
This policy applies to you, as a Data Subject, in relation to any of your personal data which is processed by us where we are the ‘Controller’. Where we are the ‘Processor’ we will be subject to the instructions of the applicable ‘Controller’ and will assist you in referring your request to the relevant ‘Controller’. This policy provides an overview of where personal data is stored in the Company, general retention periods for that data, and what happens to the data at the expiry of the retention periods.
The list below provides a high level overview of where personal data is stored in Esri UK:
- Esri UK Servers
- Third Party Servers
- Business Applications – e.g email, CRM, ERP systems
- Personal Devices – Encrypted laptops/desktops/company mobile/USB’s
- Paper Files
Data Retention Periods
Personal data will only be retained for as long as is necessary. This will include for as long as we have a legal basis to retain personal data; for example:
- for contract performance
- for compliance with a legal obligation
- legitimate interests
- for the establishment, exercise or defence of legal claims
Individual systems will have their own retention schedules taking into account the data principle of storage limitation. To ensure data retention periods are being followed, we will perform periodic reviews of systems.
Expiration of the Data Retention Periods
After the expiration of the applicable retention period, electronic data will be erased or anonymised as appropriate. We will record the fact that data has been erased in a centralised log. If there are physical records of data held by the Company, then these will be destroyed in a secure manner at the appropriate time.