France
España
Ireland
USAYour cart (0 item)
Data retention policy
This Data Retention Policy explains how CCL Industries (UK) Ltd trading as RFID Hotel (“RFID Hotel”, “we”, “us”) retains and deletes personal data in accordance with the UK GDPR and Data Protection Act 2018.
This policy should be read alongside our Privacy Policy and Data Processing Agreement (DPA). Last updated May 13th 2026.
1. Purpose
RFID Hotel retains personal data only for as long as necessary to:
- Provide contracted services to clients
- Fulfil the purposes described in our Privacy Policy
- Comply with legal, accounting and regulatory obligations
- Resolve disputes and enforce agreements
2. Retention principles
RFID Hotel applies the following principles:
- Personal data is not kept longer than necessary
- Retention periods are based on business need and legal requirements
- Data is securely deleted, anonymised, or archived when no longer required
3. How retention is determined
Retention periods are determined based on:
- The purpose for which the data was collected
- Whether RFID Hotel is acting as a controller or processor
- Legal and regulatory requirements
- Contractual obligations with clients
4. When RFID Hotel acts as a processor
Where RFID Hotel processes personal data on behalf of a client:
- Personal data is processed and retained only in accordance with the client’s documented instructions
- Data is retained for the duration of the services unless otherwise agreed
- At the end of the contract, personal data is deleted or returned in accordance with the Data Processing Agreement
- RFID Hotel does not determine retention periods independently in this context, except where required by law
5. When RFID Hotel acts as a controller
Where RFID Hotel processes personal data for its own purposes, retention periods typically include:
- Client and contractual data: up to 7 years after contract end
- Financial and invoicing data: up to 7 years
- Supplier data: duration of relationship plus up to 6 years
- Client contact data (B2B): duration of relationship plus a reasonable period
- Marketing data: until consent is withdrawn or data is no longer required
- Website and system usage data: retained for a limited period for analytics and security
6. Event and service data
For event-related services such as credentialing, access control and accreditation:
- Personal data is typically retained for the duration of the event and a limited period afterwards
- Retention is determined by the client where RFID Hotel acts as a processor
- Data may be retained longer where required for reporting, security or legal purposes
7. Data retention schedule
| Data Type | Role | Retention Period | Reason |
|---|---|---|---|
| Client contracts and account records | Controller | Up to 7 years | Legal and contractual obligations |
| Financial and invoicing data | Controller | Up to 7 years | Accounting requirements |
| Supplier data | Controller | Duration + up to 6 years | Contractual/legal |
| Client contact data | Controller | Duration + reasonable period | Legitimate interests |
| Marketing data | Controller | Until withdrawn/inactive | Consent |
| Website analytics data | Controller | 12–24 months | Performance/analytics |
| System logs and security data | Controller/Processor | 30–180 days | Security monitoring |
| Event attendee data | Processor | As instructed by client | Contractual |
| Accreditation/access data | Processor | As instructed by client | Security/audit |
| Badge/ID data | Processor | Event duration + short period | Operational |
| Photos (event-related) | Processor/Controller | As agreed or notified | Contractual/consent |
| Support communications | Controller/Processor | Up to 3 years | Support/disputes |
| Backup data | Controller/Processor | 30–90 days rolling | Disaster recovery |
8. Deletion and anonymisation
When personal data is no longer required:
It is securely deleted from active systems, or
It is anonymised so that individuals are no longer identifiable
Where technically feasible, deletion also applies to backups and archived systems, subject to system limitations.
9. Legal and regulatory retention
RFID Hotel may retain personal data for longer where necessary to:
- Comply with legal or regulatory obligations
- Respond to lawful requests from authorities
- Establish, exercise or defend legal claims
10. Security and control
Retention and deletion processes are supported by appropriate technical and organisational measures, including:
- Access controls
- Secure storage environments
- Monitoring and logging
- Controlled deletion processes
These align with the commitments set out in the Data Processing Agreement.
11. Review and governance
This policy is reviewed periodically to ensure it remains:
- Accurate and up to date
- Consistent with RFID Hotel’s Privacy Policy and Data Processing Agreement
- Aligned with legal and regulatory requirements
12. Contact
For questions about this policy or data retention practices, please contact: [email protected]
What is a data retention policy?
A data retention policy explains how long personal data is kept and when it is deleted or anonymised. It ensures organisations only retain data for as long as necessary in line with UK GDPR requirements.
How does RFID Hotel decide how long to keep personal data?
Retention periods are based on the purpose of processing, legal obligations, contractual requirements, and whether RFID Hotel is acting as a controller or a processor.
Does RFID Hotel keep personal data indefinitely?
No. RFID Hotel does not retain personal data longer than necessary. Data is deleted or anonymised once it is no longer required, unless there is a legal obligation to retain it.
How does RFID Hotel delete personal data?
RFID Hotel uses secure deletion processes to remove personal data from active systems. Where appropriate, data may also be anonymised so that individuals can no longer be identified.
