RED HELMET TECHNOLOGY PTY LIMITED

DATA RETENTION AND DELETION POLICY

What is the purpose of this document?

Under GDPR only personal data that is necessary should be collected and personal data should only be kept as long as is necessary for the purpose for which it was collected. This document sets out the policy in respect of data retention and deletion.

Retention

Candidates
  1. Candidates should be provided with our recruitment privacy policy when they apply, or as soon as is reasonably practical after they apply.
  2. Where a candidate is successful and is offered, and accepts, a job with Red Helmet Technology Pty Limited, his/her personal information provided during recruitment will be retained.
  3. Where a candidate is not successful, his/her personal data will be held for a period of 2 years and (other than in the circumstances set out in paragraph 4 below) then deleted.
  4. After 2 years, all personal data held on the unsuccessful candidate will be deleted save:
    • for the name and email address of the candidate which is retained for 6 years for record purposes in order to identify whether he has previously applied to Red Helmet Technology Pty Limited;
    • where the candidate has re-applied for other roles, for 2 years after their last application;
    • if the candidate has made any complaint about the recruitment process for 2 years after the date of the complaint.
Employees
  1. Employees should be provided with our employee privacy policy as soon as possible after they commence employment.
  2. We retain personal data on employees for the duration of their employment. When an employee leaves, personal data should be deleted as follows:
    • 6 months after termination of employment, assuming no Tribunal claim or other claim has been commenced or threatened, all personal information other than that set out in paragraph 3;
    • if a Tribunal claim or other claim is commenced, 12 months after the final judgment is made in respect of that claim, or a settlement is reached;
    • if a Tribunal claim is threatened but not commenced, 12 months after termination of employment; and
    • if any other claim is threatened but not commenced, 6 years after the event giving rise to the claim, or the date of the last threat (whichever is later).
  3. Notwithstanding the above, the following personal data will be retained for 6 years after termination of the employee’s employment:
    • salary information, tax and payroll documentation and records;
    • information on hours worked and matters billed;
    • emails and communications with Red Helmet Technology Pty Limited team members and customers; and
    • details of professional qualifications (where relevant to Red Helmet Technology Pty Limited’s obligations to customers).
Customers
  1. Customers and prospective customers should be provided with our privacy policy as soon as possible after first contact with them.
  2. We retain personal data on customers for so long as they hold an account with us or for 6 years after their last purchase. After this period the files should be deleted unless requested otherwise by the customer.
  3. If we have engaged with a prospective customer but have not provided services to them, their data may be retained for 12 months and further marketing activities may take place in respect of them (subject to us having received consent for direct marketing or in compliance with our legitimate interests policy). In the event that we do not receive further engagement with the prospective customer within the period of 12 months, all data sets other than their name and email address should be deleted.
  4. Where the prospective customer has continued to engage with Red Helmet Technology Pty Limited, we can retain their personal data for 12 months from their last engagement.

Process in respect of a deletion request

  1. If we have provided services to the requester, our default position would be to retain historic transaction data and ID data for 6 years for audit, warranty and tax purposes. However we would delete their user account and any extraneous personal information. Where we have engaged with the requester, but have not sold provided services to them, data would be deleted immediately. This should be communicated to the requester. If a requester raises an objection, this should be escalated to management.
  2. If a request is made in circumstances where we elect to honour the request, the provisions of paragraph 3 apply.
  3. Once a request is made, (to the extent that we will honour the request) within 30 days the data to be deleted will be manually deleted from all our systems and those of our processors.
  4. Where we will not honour an erasure request, within 30 days of receipt of a request, we will notify the data subject as to the reasons why we will not honour the request and when the data will eventually be deleted.