ComponentSource Data Retention Policy

1.  Introduction

This Policy sets out the obligations of the COMPONENTSOURCE GROUP, comprising companies registered in England, the Republic of Ireland, the United States of America and Japan (“ComponentSource” or “the Company”) concerning retention of personal data collected, held, and processed by ComponentSource in accordance with applicable data protection laws in the jurisdictions where it is present or conducts business, including in particular EU Regulation 2016/679 General Data Protection Regulation (“GDPR”), https://gdpr-info.eu and the EU-US Privacy Shield, a self-certification program operated by the US Department of Commerce and approved by the EU Commission in Decision C (2016) 4176 on 12 July 2016. https://www.privacyshield.gov/welcome

The GDPR defines “Personal Data” as any information relating to an identified or identifiable natural person (a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, street or email address, telephone number, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Under the GDPR, Personal Data must be kept in a form which permits the identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed. In certain cases, Personal Data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for statistical purposes or as otherwise permitted by the GDPR (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).

In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data Subjects have the right to have their Personal Data erased (and to prevent the processing of that Personal Data) in the following circumstances:

a)  Where the Personal Data is no longer required for the purpose for which it was originally collected or processed (see above);
b)  When the Data Subject withdraws their consent;
c)  When the Data Subject objects to the processing of their Personal Data and the Company has no overriding legitimate interest;
d)  When the Personal Data is processed unlawfully (i.e. in breach of the GDPR);
e)  When the Personal Data has to be erased to comply with a legal obligation; or

This Policy sets out the type(s) of Personal Data held by ComponentSource for the purposes of its business of supplying licensed software tools and components to software application developers, the period(s) for which that Personal Data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.

2.  Aims and Objectives

2.1  The primary aim of this Policy is to set out limits for the retention of Personal Data and to ensure that those limits, as well as further Data Subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of Data Subjects under the GDPR.

2.2  In addition to safeguarding the rights of Data Subjects under the GDPR, by ensuring that excessive amounts of data are not retained by ComponentSource, this Policy also aims to improve the speed and efficiency of managing data.

3.  Scope

3.1  This Policy applies to all Personal Data held by ComponentSource and by third-party data processors processing Personal Data on the Company’s behalf (“Sub-processors”).

3.2  Personal data, as held by ComponentSource or its Sub-processors is stored in the following ways and in the following locations:

a)  The Company’s servers, located in the UK, Ireland, Japan and the USA;
b)  Third-party servers, operated by Sub-processors (including but not limited to Amazon, Microsoft, Google Analytics, Segment, Woopra, Inspectlet, LiveChat) and located in jurisdictions worldwide but if not the UK, Ireland, Japan or the USA, subject to data protection laws which are deemed adequate under the GDPR;
c)  Computers permanently located in the Company’s premises in the UK, Ireland, Japan and the USA;
d)  Laptop computers and other mobile devices provided by the Company to its employees;
e)  Computers and mobile devices owned by employees, agents, and sub-contractors;
f)  Physical records stored in the UK, Ireland, Japan and the USA.

4.  Data Subject Rights and Data Integrity

All Personal Data held by the ComponentSource is held in accordance with the requirements of the GDPR and Data Subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.

4.1  Data Subjects are kept fully informed of their rights, of what Personal Data the Company holds about them, how that Personal Data is used as set out in Sections 12 and 13 of the Company’s Data Protection Policy, and how long the Company will hold that Personal Data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).

4.2  Unless ComponentSource has reasonable grounds to refuse to erase Personal Data or the Personal Data relates solely to internal ComponentSource records detailing the circumstances (request and compliance) of the erasure or the erasure would be detrimental to the effective operation of the Company’s anti-fraud systems, Data Subjects are given control over their Personal Data held by the Company including the right to have incorrect data rectified, the right to request that their Personal Data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their Personal Data, and further rights relating to automated decision-making and profiling, as set out in Sections 14 to 19 of the Company’s Data Protection Policy.

5.  Technical and Organisational Data Security Measures

5.1  The following technical measures are in place within ComponentSource to protect the security of Personal Data. Please refer to Sections 21 to 25 of the Company’s Data Protection Policy for further details:

a)  All hardcopies of Personal Data, along with any electronic copies stored on physical media should be stored securely;
b)  No Personal Data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of ComponentSource or not, without authorisation;
c)  Personal Data must be handled with care at all times and sensitive Personal Data should not be left unattended or on view;
d)  Computers used to view sensitive Personal Data must always be locked before being left unattended;
e)  No sensitive Personal Data should be stored on any mobile device, whether such device belongs to the Company or otherwise without the formal written approval of the Company’s Data Protection Manager and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
f)  No Personal Data should be transferred to any device personally belonging to an employee and Personal Data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the Company’s Data Protection Policy and the GDPR or other applicable data protection law deemed adequate under the GDPR;
g)  All Personal Data stored electronically should be backed up at least once weekly with backups stored onsite and offsite. All offsite backups should be encrypted;
h)  All electronic copies of Personal Data should be stored securely using passwords;
i)  All passwords used to protect Personal Data should be changed regularly and must be secure. They should not use words or phrases that can be easily guessed or otherwise compromised. It is recommended that all passwords should contain a combination of uppercase and lowercase letters, numbers, and symbols.
j)  Under no circumstances should any passwords be written down or shared. If a password is forgotten, it must be reset using the applicable method. The Company’s IT staff do not have access to passwords;
k)  All software should be kept up-to-date wherever reasonably possible. Security-related updates should be installed as soon as reasonably possible after becoming available;
l)  No software may be installed on any Company-owned computer or device without prior approval; and
m)  Where Personal Data held by the Company is used for marketing purposes, it will be the responsibility of the Company’s Data Protection Manager to ensure that the appropriate consent is obtained and that no Data Subjects have opted out.

5.2  The following organisational measures are in place within the Company to protect the security of personal data. Please refer to Section 26 of the Company’s Data Protection Policy for further details:

a)  All employees and other parties working on behalf of ComponentSource must be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under the Company’s Data Protection Policy;
b)  Only employees and other parties working on behalf of ComponentSource that need access to, and use of, Personal Data in order to perform their work should have access to Personal Data held by the Company;
c)  All employees and other parties working on behalf of ComponentSource handling Personal Data will be appropriately trained to do so;
d)  All employees and other parties working on behalf of ComponentSource handling Personal Data will be appropriately supervised;
e)  All employees and other parties working on behalf of ComponentSource handling Personal Data must exercise care and caution at all times when discussing any work relating to Personal Data;
f)  Methods of collecting, holding, and processing Personal Data should be periodically evaluated and reviewed;
g)  The performance of those employees and other parties working on behalf of ComponentSource handling Personal Data should be periodically evaluated and reviewed;
h)  All employees and other parties working on behalf of ComponentSource handling Personal Data will be bound by contract to comply with the GDPR and the Company’s Data Protection Policy;
i)  All agents, contractors, or other parties working on behalf of ComponentSource handling Personal Data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and other applicable data protection laws and the Company’s Data Protection Policy;
j)  Where any agent, contractor or other party working on behalf of the Company handling Personal Data fails in their obligations under the GDPR and/or other applicable data protection laws and/or the Company’s Data Protection Policy, all reasonable efforts should be made to contractually require that party to indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

6.  Data Disposal

Upon the expiry of the data retention periods set out below in Section 7 of this Policy, or when a Data Subject exercises their right to have their Personal Data erased, Personal Data must be deleted, destroyed, or otherwise disposed of as follows:

6.1  Personal Data including sensitive Personal Data stored electronically (including any and all backups) must be deleted securely;

6.2  Personal Data including sensitive Personal Data stored in hardcopy form must be shredded;

7.  Data Retention

7.1  As stated above, and as required by law, ComponentSource must not retain any Personal Data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

7.2  Different types of Personal Data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.

7.3  When establishing and/or reviewing retention periods, the following must be taken into account:

a)  The objectives and legitimate or reasonable requirements of the Company;
b)  The type of Personal Data in question;
c)  The purpose(s) for which the data in question is collected, held, and processed;
d)  The Company’s legal basis for collecting, holding, and processing that data;
e)  The category or categories of Data Subject to whom the data relates;
f)  The need to operate and maintain effective anti-fraud procedures to protect the Company’s business, publishers and customers.

7.4  If a precise retention period cannot be fixed for a particular type of data, criteria must be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.

7.5  Notwithstanding the following defined retention periods, certain Personal Data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a Data Subject or otherwise).

7.6  In limited circumstances, it may also be necessary to retain Personal Data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR or other applicable data protection laws.

Data Reference Type of Data Purpose of Data Normal Retention Period
Customer Name Quote creation, order processing, authentication & software delivery 7 years from date of expiry of last contract or license
Customer Organisation name and type Customer registration, quote creation, order processing, authentication & software delivery 7 years from date of expiry of last contract or license
Customer Address (including street, county/state, zip or post code, country) Quote creation, order processing, authentication & software delivery, paper catalogue delivery, promotional item delivery (coffee mug) 7 years from date of expiry of last contract or license
Customer Email address Customer registration, quote creation, order processing, authentication & software delivery, Product news, customer email newsletter delivery, customer communications 7 years from date of expiry of last contract or license
Customer Telephone number Quote creation, order processing & software delivery, customer communications 7 years from date of expiry of last contract or license
Customer IP address Quote creation, order processing, authentication, payment processing & software delivery 7 years from date of expiry of last contract or license
Customer Bank Account Numbers, Sort Code, Account Name Order processing and payment processing 7 years from date of expiry of last contract or license
Customer Credit/Debit Card Number, Card Holder Name, Expiry Date and CV2 number (CV2 is only used per transaction and never stored) Order processing, payment processing, authentication and verification 7 years from date of expiry of last contract or license
End User Licensee Name (if different from Customer) Quote creation, order processing, authentication & software delivery 7 years from date of expiry of last contract or license
End User Licensee Organisation name and type Licensee registration with Publisher, quote creation, order processing, authentication & software delivery 7 years from date of expiry of last contract or license
End User Licensee Address (including street, county/state, zip or post code, country) Quote creation, order processing, authentication & software delivery 7 years from date of expiry of last contract or license
End User Licensee Email address Quote creation, order processing, authentication, & software delivery, licensee communications 7 years from date of expiry of last contract or license
End User Licensee Telephone number Quote creation, order processing & software delivery, licensee communications 7 years from date of expiry of last contract or license
End User Licensee IP address Quote creation, order processing, authentication, payment processing & software delivery 7 years from date of expiry of last contract or license
Publisher Name, Address, Email Address, Telephone number, Bank Account Details Order processing, payment processing and software delivery 7 years from date of expiry of last contract or license
Supplier Name, Address, Email Address, Telephone number, Bank Account Details Order processing, payment processing and delivery 7 years from date of expiry of last contract or license
Shareholder Name, Address, Email Address, Telephone number, Bank Account Details Shareholder communications, company returns and registers, plus payment processing 7 years from date of cessation of all shareholdings
Employee / Director/ Contractor Name, Address, Email Address, Telephone number, National Insurance number, Tax Codes, Bank Account Details and all other information required in connection with the operation and administration of their employment contracts Data usage in the individual Privacy Notice Schedules to their Employment Contracts or Contracts of Engagement 7 years from date of termination of contract

8.  Roles and Responsibilities

8.1  The ComponentSource Data Protection Manager, Nigel Farnworth, can be contacted at dpm@componentsource.com, telephone +44 118 982 2108.

8.2  The Data Protection Manager will be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.

8.3  The Data Protection Manager will be directly responsible for ensuring compliance with the above data retention periods throughout the Company.

8.4  Any questions regarding this Policy, the retention of Personal Data, or any other aspect of GDPR compliance should be referred to the Data Protection Manager.

9.  Implementation of Policy

This Policy will be deemed effective as of 25th May 2018. No part of this Policy will have retroactive effect and, except and limited to any pre-existing applicable statutory requirements, will apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:

Name: Harry Kelly
Position: Group Director
Date: 25 May 2018
Due for Review by: 30 April 2019

CSDataRetention 05/2018