Data‑Retention Schedule

Introduction

This Schedule sets out the standard retention periods applied by The ESG Institute Limited ("the Company") to the categories of personal data that we process. The periods are determined in accordance with the Data Protection Act 2018 (Isle of Man), UK GDPR/Applied GDPR, sector‑specific legislation (e.g., employment, tax, health‑and‑safety, safeguarding) and best‑practice guidance issued by the Isle of Man Information Commissioner. Where statutory or contractual obligations require longer retention, those obligations prevail. The Schedule should be read together with the Company’s Privacy Policy.

General Approach

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, to comply with a legal obligation, or to protect the Company’s legitimate interests. Once the retention period expires, data is securely destroyed or irreversibly anonymised. If litigation or an investigation is pending, relevant records are retained until the matter is resolved.

Retention Periods by Category

1. Human‑Resources Records

Employment contracts, personnel files, appraisal records and training certificates are retained for six years after employment ends (Limitation Act 1984 contracts limitation period plus one year). Records relating to working‑time and holiday are kept for two years. Health and safety accident records are retained for three years from the date of incident; where relating to a child, retention extends until that child’s twenty‑first birthday.

2. Recruitment and Candidate Data

Application forms, CVs, interview notes and assessment results for unsuccessful candidates are retained for twelve months after the recruitment decision, unless the candidate gives consent to hold the data for longer to consider future roles (maximum three years).

3. Payroll and Finance

Payroll records, payslips, expense claims and tax documents are retained for seven years after the end of the financial year, in line with taxation statutes and audit requirements. Corporate financial statements and ledgers are retained for ten years.

4. Client and Project Files

Project correspondence, proposals, statements of work, deliverables and client contact information are retained for seven years after project completion to support contractual claims and quality management. Where contractual limitation periods exceed seven years, files are retained for ten years.

5. Course Registration and Certification Records

Attendance registers, assessment results and certificates issued are retained for seven years from the course end date to provide verification to participants and employers and to comply with accreditation‑body requirements.

6. Marketing and Mailing‑List Data

Contact details used for email marketing are retained until the individual withdraws consent or unsubscribes. Suppression lists (records of opt‑out requests) are retained indefinitely to ensure compliance with preferences.

7. Safeguarding and Incident Reports

Safeguarding concern records and related investigation documents are retained for six years after case closure or, where the data subject is a child, until their twenty‑fifth birthday, whichever is later, in accordance with the Safeguarding Act 2018.

8. Health and Safety, Accident Books

Accident books and accident‑investigation reports are retained for three years from the date of the last entry, unless the incident involves hazardous substances, in which case records are retained for forty years under the Control of Substances Hazardous to Health Regulations.

9. CCTV and Access Logs

CCTV footage is retained for thirty days unless an incident necessitates longer retention for investigation or legal proceedings. Building‑access logs are retained for twelve months.

10. IT System Logs and Back‑ups

System‑access logs are retained for ninety days to monitor security. Routine back‑ups are retained for thirty days then overwritten; annual archive back‑ups are retained for seven years.

11. Contracts with Suppliers and Partners

Supplier agreements and related correspondence are retained for seven years after contract termination or expiry.

12. Research Data (Anonymised)

Anonymised research datasets that no longer constitute personal data may be retained indefinitely for historical or statistical purposes, subject to ethical approval and information‑security controls.

Review

This Policy will be reviewed at least every two years, or sooner if there are changes in legislation, regulatory guidance or organisational practice. This Policy is non‑contractual and may be amended at the Company’s discretion. It will be interpreted in accordance with Isle of Man law and, where applicable, the UK and EU GDPR.

Latest update: June 30, 2025.