Simple (hopefully) GDPR question

sunbeam alpine

Original Poster

6,945 posts

188 months

[report]

[news]

Sunday 27th May 2018

My company only holds customer (and probably some lapsed customer) records on a single P.C. (we do have a data back-up!). This is purely used for invoicing purposes. We don't hold e-mail addresses - it's a local agricultural contracting business - and we don't do any marketing by e-mail or direct mail. We probably only have telephone numbers for about 50% of the customers on the computer (although they're all in my phone).

Do I actually need to do anything with regard to GDPR?

PurpleMoonlight

22,362 posts

157 months

[report]

[news]

Sunday 27th May 2018

I may be totally wrong here but from my little research:

You need to have a written privacy policy to issue on request.

You need to delete data you have no further use for.

You can keep data you have a legitimate use for.

sunbeam alpine

Original Poster

6,945 posts

188 months

[report]

[news]

Monday 28th May 2018

Thanks for that.

Does it make a difference that the data held concerns businesses rather than private individuals?

KevinCamaroSS

11,635 posts

280 months

[report]

[news]

Tuesday 29th May 2018

Not at all, a company is a legal person. Recommend getting a written policy in place, this should detail the reasons you keep the data, the process for deletion (along with 'proof' of deletion) and policy for deciding when to delete a record. This could be something like 12/24/36 months following last business transaction.

zombeh

693 posts

187 months

[report]

[news]

Tuesday 29th May 2018

KevinCamaroSS said:

Not at all, a company is a legal person.

GDPR said:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

If you're storing contact details for a specific person though then it does apply.

anonymous-user

54 months

[report]

[news]

Tuesday 29th May 2018

KevinCamaroSS said:

Not at all, a company is a legal person. Recommend getting a written policy in place, this should detail the reasons you keep the data, the process for deletion (along with 'proof' of deletion) and policy for deciding when to delete a record. This could be something like 12/24/36 months following last business transaction.

There is normally a 6 year limitation on legal action relating to contractual performance. I personally wouldn't delete data relating to the performance of any contract until that period has elapsed.

If you have any form of professional indemnity insurance I would also consult with your insurers, as it may be they who carry the can and will need to advise what they want keeping and for how long.

KevinCamaroSS

11,635 posts

280 months

[report]

[news]

Wednesday 30th May 2018

janesmith1950 said:

KevinCamaroSS said:

Not at all, a company is a legal person. Recommend getting a written policy in place, this should detail the reasons you keep the data, the process for deletion (along with 'proof' of deletion) and policy for deciding when to delete a record. This could be something like 12/24/36 months following last business transaction.

There is normally a 6 year limitation on legal action relating to contractual performance. I personally wouldn't delete data relating to the performance of any contract until that period has elapsed.

If you have any form of professional indemnity insurance I would also consult with your insurers, as it may be they who carry the can and will need to advise what they want keeping and for how long.

Good points JaneSmith.

Auctions

Buy

Selling

News

Regulars

Forums

My account

About

Buy

Sell

News

Forums

Services

About