Retention policy

Policy statement


FENWICK ELLIOTT (‘we’, ‘us’ or ‘our’) is committed to:

  1. Fully complying with all the requirements of the General Data Protection Regulation (GDPR).
  2. The efficient management of its records for the effective delivery of our services.


This policy explains how we will comply with its responsibilities and obligations under the GDPR and its principles relating to the storage and destruction of personal data.

This policy gives guidance about disposing, deleting and retaining the personal data for which we have a responsibility and/or obligation under the GDPR.

This policy applies to:

  • All personal data that is stored by us whether kept on paper, electronically and/or digitally.
  • All staff of FENWICK ELLIOTT

NB: This policy should be read and used in conjunction with our other following policies

  • Data protection
  • Privacy


The objectives of this policy are to:

  • Ensure we follow the GDPR and its principles relating to the storage, disposal and destruction of personal data
  • Ensure we comply with all applicable legal and regulatory requirements
  • Ensue personal data is stored securely
  • Ensure that personal data is not out of date
  • Keep personal data accurate
  • Assist with responding to subject access requests
  • Ensure personal data that has been placed in storage can be found and retrieved quickly and efficiently
  • Ensure the storage, disposal and destruction of personal data is carried out in a consistent and controlled manner.
  • Assist with audits
  • Minimise storage requirements and costs
  • Assist in the identification of the location of personal data
  • Clarify responsibilities for implementing, complying and monitoring this policy


Personal data means any information relating to an identified or identifiable person ('data subject') such as names, postal/email address, telephone number or identification number.

Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and data concerning criminal convictions or offences

Data subject means any individual whose personal data is processed by us

Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction. (This means that virtually anything FENWICK ELLIOTT does with personal data will be processing).

Data controller means the organisation which decides the purposes and means of the processing of personal data

NB: The data controller for the purposes of this policy is FENWICK ELLIOTT

Data processor means an individual or organisation that processes personal data on behalf of a data controller

Personal data breach means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Staff means anyone working at or for us on a permanent or temporary basis, including, Partners, consultants, permanent, interim and temporary employees, trainees, and those on work experience.


The relevant data protection principles for the purposes of this policy are that personal data must be:

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

NB: Keeping personal data unnecessarily may use up valuable storage space, incur unnecessary costs and impose on us a significant liability risk.

Roles and responsibilities

The Partners of FENWICK ELLIOTT have ultimate responsibility for ensuring compliance with the GDPR, the data protection principles and this policy.

The Practice Manager has day-to-day operational responsibility for ensuring we comply with the GDPR, the data protection principles and this policy. The Practice Manager can be contacted at:

All staff have a responsibility to comply with the GDPR, the data protection principles and this policy when carrying out their duties.

Line managers are responsible for supporting staff’s adherence with this policy.

Failure to comply with this policy may result in legal and/or disciplinary action.


We normally retain personal data for a minimum of 12 years.

Disposal and Destruction

When the retention periods expire, we must dispose of and destroy all personal data unless a Partner and the Practice Manager authorises that such data should be retained.

NB: Retaining or destroying personal data in breach of this policy may be considered serious gross misconduct and lead to dismissal.

Shred-it will physically collect the Materials on a regularly scheduled and mutually agreed basis and destroy, on or in reasonable proximity to the firm’s business premises, the Materials through use of mechanical devices

The firm’s IT department will take care of all electronic file deletions.