Data Retention and Deletion Policy

The purpose of this Data Retention and Deletion Policy is to ensure that LOPEX UNICONS LTD (trading as UNICONS) retains personal data only for as long as is necessary for the purposes for which it was collected, and that all personal data is securely and permanently deleted once it is no longer needed.

This policy gives effect to the storage limitation principle set out in Article 5(1)(e) of the UK General Data Protection Regulation (UK GDPR), which requires that personal data be:

> *"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed"*

Compliance with this principle is not merely a technical obligation — it reflects UNICONS' genuine commitment to protecting the privacy of the students, staff, agents, and partners whose data we hold. Retaining data beyond the point of necessity creates unnecessary privacy risk, increases the potential impact of any data breach, and imposes unwarranted obligations on individuals.

This policy applies to: - All personal data held by UNICONS, in any format (digital or physical); - All systems, databases, and filing arrangements in which personal data is stored; - All staff, contractors, agents, and service providers who process personal data on behalf of UNICONS.

This policy should be read alongside the UNICONS Privacy Policy, the Information Security Policy, and the Data Subject Rights Procedure.

UNICONS holds personal data across a range of categories, collected in the course of providing international student recruitment and education consultancy services. The principal categories of personal data held by UNICONS include:

• Student data: Identity, contact, and demographic information; academic history and qualifications; application documents; visa and immigration status; financial information relating to fees and payments; correspondence and communication records;
• Agent and counsellor data: Identity and business contact information; agreement records; commission and payment records; performance and compliance records;
• Partner institution data: Contact information for institutional representatives; partnership agreements and correspondence;
• Employee and contractor data: HR records, including employment contracts, payroll data, disciplinary records, training records, and correspondence;
• Website and platform data: Cookie identifiers, IP addresses, usage logs, and analytics data;
• Financial records: Invoice, payment, and commission records; HMRC-relevant financial data;
• Safeguarding and compliance records: Safeguarding concern records, DBS check records, consent records, and audit logs.

Each category of data is subject to a defined retention period as set out in the schedule below.

The following table sets out UNICONS' standard retention periods for each principal category of personal data. These periods represent the maximum time for which data will be retained in identifiable form; data will be deleted promptly at the end of the relevant period, subject to the exceptions in section 5.

Where a specific legal instrument (such as an HMRC notice, a court order, or a regulatory investigation) requires retention of specific data beyond the periods above, that data will be retained for as long as the legal instrument requires and then deleted promptly.

All retention periods are calculated from the end of the event that triggers the retention period (for example, the end of the last interaction, the end of the financial year, or the termination of employment), not from the date the data was first collected.

UNICONS is committed to ensuring that personal data is securely and permanently deleted at the end of the applicable retention period. The following standards apply:

Digital data:

• Data held in UNICONS' platform databases will be deleted by permanent erasure, using deletion processes that prevent recovery through forensic or technical means;
• Where cloud-hosted services are used, UNICONS will ensure that deletion requests are passed to the relevant cloud provider and that confirmation of deletion is obtained and recorded;
• Backup copies of data will be purged from backup systems within the next scheduled backup cycle following deletion from primary systems, and in any event within 90 days of the primary deletion event.

Physical data:

• Paper documents containing personal data will be destroyed by cross-cut shredding using a DIN 66399 P-4 (or higher) rated shredder, or by a contracted secure destruction service;
• Physical media (hard drives, USB drives, optical media) will be destroyed using methods certified to NIST SP 800-88 or equivalent standard.

Third-party deletion:

Where personal data has been shared with a third party (for example, a partner institution or a service provider), UNICONS will request confirmation that the third party has also deleted the data, in accordance with the data processing agreement in place between UNICONS and the third party.

Record of deletion:

A record of each deletion event will be maintained by the UNICONS Data Protection Officer (DPO), noting the category of data deleted, the date of deletion, the method used, and (where applicable) the identity of the third party confirming deletion. Deletion records are themselves retained for 3 years.

The following circumstances may require UNICONS to retain personal data beyond the periods specified in the retention schedule:

Legal hold: Where UNICONS becomes aware that personal data may be relevant to actual or anticipated litigation, regulatory investigation, or enforcement action, a legal hold will be placed on that data. The DPO and legal advisers will determine the scope of the hold and the data to which it applies. Data subject to a legal hold will not be deleted until the hold is lifted by the DPO and legal advisers.

Ongoing regulatory investigation: Where a regulatory body (such as the ICO, the Financial Conduct Authority, or HMRC) has requested or is likely to request access to particular data, that data will be retained until the investigation is concluded and the data is no longer required by the regulator.

Safeguarding records: Safeguarding records relating to children will be retained until the child reaches the age of 25, regardless of whether the standard retention period has expired, in accordance with statutory guidance.

Ongoing contractual or professional obligation: Where a specific contractual term or professional obligation requires longer retention, data will be retained for the period required, with a note of the justification maintained by the DPO.

In all cases of extended retention, the DPO will maintain a register of data retained beyond standard periods, setting out the category of data, the reason for extended retention, the person responsible for the hold, and the expected date of deletion.

Under Article 17 of the UK GDPR, data subjects have the right to request erasure of their personal data in certain circumstances, including where:

• The data is no longer necessary for the purposes for which it was collected;
• The data subject withdraws consent and there is no other lawful basis for processing;
• The data subject objects to processing under Article 21 and there are no overriding legitimate grounds;
• The data has been unlawfully processed.

How to submit a deletion request:

Data subjects may submit a right to erasure request by: - Completing the data subject rights form on the UNICONS platform (Settings > Privacy > Delete My Data); - Emailing enquiry@unicons.co.uk with the subject line: DATA ERASURE REQUEST; - Writing to LOPEX UNICONS LTD, 214 High Street, Second Floor, Hounslow, TW3 1HB, London, United Kingdom.

UNICONS will respond to all erasure requests within 30 calendar days of receipt. Where the request is complex or UNICONS receives a high volume of requests, the response period may be extended by up to a further two months; in that case, the data subject will be notified of the extension and the reason within the initial 30-day period.

Grounds for refusing or limiting erasure:

UNICONS may refuse or limit an erasure request where retention is necessary: - To comply with a legal obligation (for example, HMRC financial record-keeping requirements); - For the establishment, exercise, or defence of legal claims; - For reasons of public interest in the area of public health, archiving, scientific or historical research, or statistics (where applicable); - In the exercise of official authority.

Where UNICONS declines to comply with an erasure request in whole or in part, the data subject will be informed of the reason and their right to complain to the Information Commissioner's Office (ICO).

All UNICONS staff and contractors who process personal data are responsible for:

• Familiarising themselves with this policy and the retention schedule applicable to the data they process;
• Not retaining personal data beyond the applicable retention period without the approval of the DPO;
• Promptly deleting personal data that is no longer needed, in accordance with the deletion standards in section 4;
• Reporting any concerns about data that appears to have been retained beyond its scheduled period to the DPO;
• Cooperating with data subject erasure requests and with internal and external audits of retention compliance.

Managers are responsible for ensuring that their teams are aware of and comply with this policy, and for flagging any data categories or systems that have not been addressed in the retention schedule.

The Data Protection Officer (DPO) is responsible for:

• Maintaining and updating the retention schedule;
• Managing the legal holds register and the deletion records register;
• Reviewing retention compliance on at least an annual basis;
• Responding to data subject erasure requests within the statutory timeframe;
• Liaising with third-party processors to ensure deletion obligations are met;
• Reporting material non-compliance to senior management and, where required, to the ICO.

This policy is reviewed at least annually by the DPO, in consultation with senior management and legal advisers where appropriate. It will also be reviewed in response to:

• Material changes to UNICONS' data processing activities or systems;
• Changes to applicable legislation or ICO guidance;
• Any material data breach or near-miss involving retained data;
• Any adverse finding by the ICO or other regulatory body.

Contacts:

Approved by: Director, LOPEX UNICONS LTD Effective date: 1 September 2025 Next review date: 1 September 2026