Last Updated at 2025-Mar
1.1 Purpose
This Policy establishes the principles for the retention of personal data processed by Brain Payroll UK Limited (the "Company"). It outlines the types of personal data the Company collects, the retention periods for such data, the criteria for determining those periods, and the processes for securely deleting or disposing of data when it is no longer necessary. This policy applies to all personal data processed in relation to payroll services and includes specific protocols for deleting application data once its purpose has been fulfilled.
1.2 Scope
This policy applies to all individuals within the Company, including permanent, fixed-term, temporary staff, and subcontractors, who handle personal data in relation to payroll processing. Adherence to this policy is mandatory to ensure compliance with the General Data Protection Regulation (GDPR) & UK Data Protection Act 2018. Non-compliance with the policy may result in disciplinary or contractual action.
1.3 Policy
This Policy defines Brain Payroll UK Limited's obligations regarding the retention of personal data in accordance with EU Regulation 2016/679 (GDPR) and the UK Data Protection Act 2018. As a Data Processor or Data Sub-Processor, the Company is committed to legally, transparently, and fairly processing personal data. Data is only retained for as long as necessary for its intended purpose, and once that purpose has been fulfilled, personal data will be securely deleted or anonymized.
The term "personal data" refers to any information relating to an identified or identifiable natural person, including, but not limited to, names, identification numbers, financial records, or any information related to the individual's economic or social identity.
The Company ensures that:
- Personal data is only retained for legitimate business, legal, or regulatory purposes.
- Data is handled in compliance with data protection laws, guidelines, and best practices.
1.4 Objectives
As a data sub-processor, the GDPR/UK GDPR imposes obligations on the Company to process personal data fairly, notify data subjects of data processing, and retain the data for no longer than necessary to achieve those purposes.
Summary of the Company's objectives and principles in relation to Data Retention are as follows:
- Data Processing on UK/EU-based InfrastructurePersonal data is processed solely on UK/EEU-based servers via Remote Desktop and Virtual Desktop Infrastructure (VDI) environments. Cloud infrastructure ensures that sensitive data remains within the secured data center and the UK/EU's geolocation boundaries, mitigating the risk of unauthorized access or exposure.
- Data Handling Restrictions: The Company implements strict controls to prevent the unauthorized download or export of data on company premises. The Data Processing Agreement (DPA) explicitly outlines any exceptions to this protocol. Company staff are permitted to download data only if explicitly required to process it as per agreed contractual obligations.
- Encryption and Secure Storage: When data is transferred to the company from clients or downloaded from client servers, it is stored in a secure, encrypted environment using AES 128/256 encryption. This ensures that all sensitive personal data remains confidential and protected against unauthorized access.
- Server Management and Data Leak Prevention: The company's servers and network infrastructure are subject to rigorous Data Leak Prevention (DLP) controls, including technical and physical security measures. Where applicable, automated processes are employed to ensure compliance with retention periods and prevent unauthorized access or data leaks.
- Automated Data Deletion: Data received from clients or downloaded to company infrastructure (UK) is automatically deleted using the DOD 5220.22-M erasure standard within 24 hours of the processing task's completion, ensuring that no unnecessary data is retained beyond its immediate purpose. We delete all the backup copies of onboarding (migration) data from all locations within 90 days. (Backup from storage or servers).
- Application Data Deletion: Data (Company, Accounts, PII, or any critical information) from the application can be deleted using the auto button within the application. The delete action will run SQL commands in a database, which performs the hard deletion of data that is not recoverable. We delete the transaction logs, which remove any data that may still exist in the transaction logs. To protect the data from unwanted incidents, access to the data deletion option is limited to the support team.
- Retention Period compliance: The Company has established clear, strictly enforced retention limits for personal data. Data is retained only for the duration necessary to fulfill legal, contractual, or business purposes. Any retention beyond that period is prohibited, and mechanisms are in place to review and ensure compliance with the defined retention periods.
- Secure Data Disposal: Confidential data and other information assets are securely disposed of once they are no longer needed for business, legal, or regulatory purposes. The Company employs secure deletion techniques and physical shredding of records to ensure that all data is permanently irretrievable.
- GDPR Compliance and Data Subject Rights: The Company remains fully committed to complying with its obligations under the GDPR/UK GDPR, ensuring that all personal data is processed transparently, lawfully, and securely. The Company upholds the rights of data subjects and ensures the timely and secure exercise of those rights, including data access, rectification, erasure, and portability. All data subject requests are processed within the statutory timeframes outlined by the GDPR.
- Legal, Contractual, and Regulatory Retention Compliance: The Company ensures that all records and documents are retained for the period specified by legal, contractual, or regulatory requirements. Any data retention requirements specific to industry bodies, clients, or jurisdictions are adhered to without exception.
1.5 Responsibilities
Department heads and information asset owners are responsible for ensuring that personal data records are retained, archived, and disposed of according to this Policy. Where applicable, the Data Protection Officer (DPO) should be consulted for any data retention and disposal issues.
Employees who handle personal data must ensure that it is kept accurate and up to date and disposed of properly when it is no longer required for processing. AVP IT Infra and Security will oversee the technical controls around data security and ensure that retention policies are followed.
1.6 User and Data removal process from the application
Once the client provides written confirmation to begin off-boarding, the support team will promptly initiate the necessary actions to ensure a smooth and secure transition. The following outlines the steps taken by the support team to manage data deactivation, removal, and retention in accordance with our policies
- Account Termination Notice: Account Termination notice gets served (by either the client or Brain Payroll) to the designated email address of the other party.
- Contract Termination Date: The contract termination date gets finalized as per the agreed termination notice period and terms in the software license agreement. This date is communicated to the client.
- User Deactivation: The support team will completely deactivate the client's account access (including all portals) on the agreed contract termination date.
- Data removal from the application: The support team will use the auto-delete feature to remove user data from the application within 7 days after deactivation. This action permanently deletes the data from the application database, making it completely irretrievable from within the application
- Data removal from backup: Data backups will be retained for a period of three complete financial years (e.g. Dec-2023 data will be retained until 31st March 2027) for compliance and HMRC audit purposes. After this period, the data will be permanently deleted from backups, making it completely unavailable.
1.7 Retention Period
Retention periods for personal data are based on legal and regulatory requirements, contractual obligations, and operational needs. The Company has implemented a dynamic data retention process, with automated controls in place to ensure compliance.
- Payroll data: Retained for a minimum of six years in accordance with the Companies Act 2006 and other relevant tax and employment regulations requirements. Retention is reviewed annually to remain compliant with changes in legislation."
- Incident Records: Retained for 3 years for audit and compliance purposes.
- Client data, including payroll-related data, is deleted within 7 days after the conclusion of the contractual agreement or after the data has fulfilled its purpose. Data backups will be retained for a period of 3 years to complete financial years for compliance and HMRC audit purposes
- Application Data: Data related to payroll processing within the payroll applications is retained for a maximum of 7 Days after the client leaves or as specified in the contract. Data backups will be retained for a period of three complete financial years for compliance and HMRC audit purposes. After that, the data will be removed from the application, servers, and any backup locations.
Payroll Clients Data (Existing clients)
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| Database | Minimum six years or as per DPA | Payroll Processing | Data Processing Team | Stored in an encrypted location and Password-protected | Secure deletion |
| Documents | Minimum six years or as per DPA | Payroll Processing | Data Processing Team | Stored in an encrypted location and Password-protected. | Secure deletion |
Payroll Clients Data (Former clients)
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| Database | Maximum 7 Days or as per DPA | Payroll Processing | Support Team | Stored in an encrypted location and Password-protected | Secure deletion |
| Documents | Maximum 7 days or as per DPA | Payroll Processing | Support Team | Stored in an encrypted location and Password-protected. | Secure deletion |
Data use for support (debugging) and migration (On-boarding)
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| PII Data | 90 days (After onboarding complete) | Payroll Processing | Data Processing Team | Stored in an encrypted location and Password-protected | Secure deletion |
| Database (Anonymised) | NA | Debugging purpose | Support Team | Access through SQL Management studio. | Access removed after purpose completion |
Incident & Evidence
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| Incident Records | 3 years | Compliance, risk management and improvement | Compliance and Auditor team | Password protected and stored in a secure location | Safe/secure deletion |
Payroll application backup retention period for existing clients.
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| Database | 30 days | Application availability and DR purpose | Support Team & IT Engineering Team | Encrypted and stored in a secure location | Over-wright after 30 days |
| Documents | 30 days | Application availability and DR purpose | Support Team & IT Engineering Team | Encrypted and stored in a secure location | Over-wright after 30 Days |
Payroll application backup retention period for Former clients.
| Data Type | Retention Period | Why is it collected | Who can access | Security | Final Disposition |
|---|---|---|---|---|---|
| Database | 3 Years | Compliance and HMRC audit purpose | Compliance and Auditor team | Encrypted and stored in a secure location | Safe/secure deletion |
| Documents | 3 Years | Compliance and HMRC audit purpose | Compliance and Audit team | Encrypted and stored in a secure location | Safe/secure deletion |
Solution Is Our DNA!
Let's talk and find them for all your payroll needs