Data retention policy
This Data Retention Policy explains how CCL Industries (UK) Ltd trading as ID&C (“ID&C”, “we”, “us”) retains and deletes personal data in accordance with the UK GDPR and Data Protection Act 2018.
This policy should be read alongside our Privacy Policy and Data Processing Agreement (DPA). Last updated April 15th 2026.
1. Purpose
ID&C retains personal data only for as long as necessary to:
Provide contracted services to clients
Fulfil the purposes described in our Privacy Policy
Comply with legal, accounting and regulatory obligations
Resolve disputes and enforce agreements
2. Retention principles
ID&C applies the following principles:
Personal data is not kept longer than necessary
Retention periods are based on business need and legal requirements
Data is securely deleted, anonymised, or archived when no longer required
3. How retention is determined
Retention periods are determined based on:
The purpose for which the data was collected
Whether ID&C is acting as a controller or processor
Legal and regulatory requirements
Contractual obligations with clients
4. When ID&C acts as a processor
Where ID&C processes personal data on behalf of a client:
Personal data is processed and retained only in accordance with the client’s documented instructions
Data is retained for the duration of the services unless otherwise agreed
At the end of the contract, personal data is deleted or returned in accordance with the Data Processing Agreement
ID&C does not determine retention periods independently in this context, except where required by law
5. When ID&C acts as a controller
Where ID&C processes personal data for its own purposes, retention periods typically include:
Client and contractual data: up to 7 years after contract end
Financial and invoicing data: up to 7 years
Supplier data: duration of relationship plus up to 6 years
Client contact data (B2B): duration of relationship plus a reasonable period
Marketing data: until consent is withdrawn or data is no longer required
Website and system usage data: retained for a limited period for analytics and security
6. Event and service data
For event-related services such as credentialing, access control and accreditation:
Personal data is typically retained for the duration of the event and a limited period afterwards
Retention is determined by the client where ID&C acts as a processor
Data may be retained longer where required for reporting, security or legal purposes
7. Data retention schedule
| Data Type | Role | Retention Period | Reason |
|---|---|---|---|
| Client contracts and account records | Controller | Up to 7 years | Legal and contractual obligations |
| Financial and invoicing data | Controller | Up to 7 years | Accounting requirements |
| Supplier data | Controller | Duration + up to 6 years | Contractual/legal |
| Client contact data | Controller | Duration + reasonable period | Legitimate interests |
| Marketing data | Controller | Until withdrawn/inactive | Consent |
| Website analytics data | Controller | 12–24 months | Performance/analytics |
| System logs and security data | Controller/Processor | 30–180 days | Security monitoring |
| Event attendee data | Processor | As instructed by client | Contractual |
| Accreditation/access data | Processor | As instructed by client | Security/audit |
| Badge/ID data | Processor | Event duration + short period | Operational |
| Photos (event-related) | Processor/Controller | As agreed or notified | Contractual/consent |
| Support communications | Controller/Processor | Up to 3 years | Support/disputes |
| Backup data | Controller/Processor | 30–90 days rolling | Disaster recovery |
8. Deletion and anonymisation
When personal data is no longer required:
It is securely deleted from active systems, or
It is anonymised so that individuals are no longer identifiable
Where technically feasible, deletion also applies to backups and archived systems, subject to system limitations.
9. Legal and regulatory retention
ID&C may retain personal data for longer where necessary to:
Comply with legal or regulatory obligations
Respond to lawful requests from authorities
Establish, exercise or defend legal claims
10. Security and control
Retention and deletion processes are supported by appropriate technical and organisational measures, including:
Access controls
Secure storage environments
Monitoring and logging
Controlled deletion processes
These align with the commitments set out in the Data Processing Agreement.
11. Review and governance
This policy is reviewed periodically to ensure it remains:
Accurate and up to date
Consistent with ID&C’s Privacy Policy and Data Processing Agreement
Aligned with legal and regulatory requirements
12. Contact
For questions about this policy or data retention practices, please contact: dataprotection@idcband.com
FAQs
What is a data retention policy?
A data retention policy explains how long personal data is kept and when it is deleted or anonymised. It ensures organisations only retain data for as long as necessary in line with UK GDPR requirements.
How does ID&C decide how long to keep personal data?
Retention periods are based on the purpose of processing, legal obligations, contractual requirements, and whether ID&C is acting as a controller or a processor.
Does ID&C keep personal data indefinitely?
No. ID&C does not retain personal data longer than necessary. Data is deleted or anonymised once it is no longer required, unless there is a legal obligation to retain it.
How long does ID&C keep event data?
Event-related data is typically retained for the duration of the event and a limited period afterwards. Where ID&C acts as a processor, retention is determined by the client.
Who decides retention periods for event data?
When ID&C acts as a data processor, the client (as controller) determines how long personal data should be retained. ID&C follows those instructions in line with the Data Processing Agreement.
What happens to personal data at the end of a contract?
At the end of a contract, personal data is deleted or returned to the client in accordance with the Data Processing Agreement, unless retention is required by law.
Does ID&C retain data for legal or regulatory reasons?
Yes. Certain data may be retained for longer periods to comply with legal, accounting or regulatory obligations, or to handle legal claims.
How does ID&C delete personal data?
ID&C uses secure deletion processes to remove personal data from active systems. Where appropriate, data may also be anonymised so that individuals can no longer be identified.
Is data also deleted from backups?
Where technically feasible, data is removed from backups and archived systems in line with retention cycles and system limitations.
How does ID&C protect personal data during retention?
ID&C applies technical and organisational measures such as access controls, secure storage, monitoring, and controlled deletion processes to protect personal data.
Does ID&C retain marketing data?
Marketing data is retained until consent is withdrawn or the data is no longer required, in line with applicable data protection laws.
Can retention periods vary between clients?
Yes. Where ID&C acts as a processor, retention periods may vary depending on the client’s instructions and contractual requirements.
Who can I contact about data retention?
For any questions about data retention or data protection, please contact: dataprotection@idcband.com
Login and Registration Form