Data retention policy

Data retention policy

Data Retention Policy

Last reviewed: 29 July 2025


1.Purpose

This Data Retention Policy outlines how Evolution Aqua Group Ltd (“we”, “our”, or “us”) manages the storage and deletion of personal data. It ensures we retain data only for as long as is necessary for the purposes for which it was collected, to meet legal, regulatory, and operational requirements.


2. Scope

This policy applies to all personal data held by Evolution Aqua Group Ltd in both electronic and physical formats across all business units and departments.


3. Retention Principles

We adhere to the following principles:

  – Data will not be kept longer than necessary.

  – Retention periods are determined by legal obligations, business needs, and customer expectations.

  – Data no longer needed will be securely deleted or anonymised.


4. Retention Periods by Category

Data Category

 

 

Retention Period

Reason/Justification

Customer contact
details

7 years after last
interaction

To support
warranty, service history, or regulatory obligations

Payment and
financial records

7 years

Required for tax
and accounting compliance

Marketing consent
records

Until consent is
withdrawn or 3 years after last activity

To demonstrate
lawful basis and allow for marketing activity review

Recruitment data
(unsuccessful applicants)

12 months from
decision date

In case of future
vacancies or candidate disputes

Employment records

6 years after
employment ends

Statutory
limitation period for employment claims

Health and safety
records

40 years (for
certain risk assessments e.g., asbestos)

Legal requirement
under Health and Safety regulations

CCTV and video
recordings

30 days (unless
required for investigation)

For security and
investigation purposes

Dashcam footage

30 days (unless
subject to a complaint or incident)

Operational need
and potential insurance use

Complaints and
customer service records

6 years

In line with
limitation periods for claims

 

5. Secure Deletion

At the end of the retention period, personal data will be:

  – Permanently deleted from all systems and backups, or

  – Anonymised where continued use is required without identifying individuals.


6. Responsibilities

It is the responsibility of data owners and managers across the business to ensure compliance with this policy. The Data Protection Officer (DPO) or designated privacy lead is responsible for monitoring retention practices and advising on exceptions.


7. Review and Updates

This policy will be reviewed annually or whenever significant changes in legislation or operations occur.