Document Title: Group Data Retention Policy – Credit Car Hire

Company: G&F Prime Rentals LTD (“the Company”)

Version: 1.0

Effective Date: 28/04/2026

Next Review Date: 28/04/2027

Owner: Data Protection Lead / Compliance Manager

Approved By: Managing Director

1. Purpose

This policy sets out how G&F Prime Rentals LTD retains, reviews, stores and securely disposes of personal data and business records created or received while providing credit hire services, including replacement vehicles, accident management, recovery, storage, repair coordination, claims handling and litigation support.

The Company retains records only as long as needed to:

• Deliver credit hire services
• Manage and recover credit hire charges
• Support claims, disputes, fraud prevention and litigation
• Comply with legal, regulatory and tax requirements

2. Scope

This policy applies to:

• All staff, contractors, temporary workers and third parties acting on behalf of the Company
• All records (paper and electronic) relating to customers/claimants, at-fault third parties, insurers, solicitors, repairers, recovery/storage providers, fleet management and telematics providers
• Credit hire agreements, billing and recovery

This includes data held in: email, case management systems, CRM, finance systems, cloud storage, recorded calls, CCTV (if applicable), vehicle tracking systems and paper files.

3. Key Definitions

• Personal Data: Data relating to an identifiable person.
• Special Category Data: Health data and disability-related data.
• Criminal Offence Data: Allegations of fraud or criminal activity.
• Credit Hire File: Full case file including agreement, evidence, communications and billing.
• Retention Period: Time records are kept before secure deletion or destruction.

4. Retention Principles

1. Data is kept only for as long as necessary for the purpose collected.
2. Data is retained to meet legal obligations and claims/litigation requirements.
3. Retention supports debt recovery, credit hire enforcement and dispute defence.
4. Access is limited to staff who need it.
5. Records are securely deleted, destroyed or anonymised when no longer required.

5. Lawful Bases for Processing & Retention

• Contractual necessity
• Legal obligation
• Legitimate interests
• Establishment, exercise or defence of legal claims
• Consent where required

6. Retention Schedule (Credit Hire Business)

6.1 Credit Hire Case & Customer Records

Record Type	Examples	Retention Period	Reason
Credit hire agreements	Signed agreements, terms, acceptance logs	6 years after case closure	Contract + legal claims
Statement of truth / declarations	Need basis, impecuniosity declarations	6 years after closure	Litigation support

7. Storage & Security Controls

• Role-based access to case files
• Strong passwords and multi-factor authentication
• Encryption for laptops and portable devices
• Secure cloud storage with access logs
• Lockable storage for paper files
• Confidentiality obligations for staff and suppliers

8. Secure Disposal

8.1 Electronic Records

• Permanent deletion from case management systems, cloud storage and backups
• Removal from shared drives and email archives where appropriate
• Secure wiping of devices before disposal

8.2 Paper Records

• Cross-cut shredding or certified confidential disposal services
• Disposal certificates retained where appropriate

9. Retention Holds

If a file is subject to ongoing litigation, complaint, dispute, fraud investigation or regulatory/legal request, the Company will suspend deletion until the matter is resolved.

10. Roles and Responsibilities

• Managing Director: overall responsibility for compliance.
• Data Protection Lead: maintains this policy and manages requests.
• Claims/Credit Hire Team: ensures case files are complete and stored correctly.
• Finance Team: maintains HMRC-compliant retention of financial records.
• IT/Admin: supports secure access, backups and deletion processes.
• All Staff: must follow this policy and report concerns immediately.

11. Data Subject Rights

Individuals may request access to their data, correction, restriction or deletion where applicable.

12. Review & Compliance

This policy is reviewed annually and whenever the Company changes systems, processes, services or locations.