Organisation: PC LAB LTD
Document ID: ISMS‑POL‑DRD‑001
ISO Reference: ISO/IEC 27001:2022 (incl. Annex A 5.32, 8.10)
Version: 1.0
Applies to: All systems and services operated by PC LAB LTD

1.1 Purpose

The purpose of this policy is to ensure that information held by PC LAB LTD is retained only for as long as necessary for legal, regulatory, contractual, and business purposes and is securely deleted or anonymised when no longer required, in line with ISO 27001 requirements.

1.2 Scope

This policy covers:

• Customer data (including website content, configuration data, and hosted email content).
• Account, billing, and support records.
• System and security logs.
• Backups and archives containing any of the above.

1.3 Principles

PC LAB LTD follows these principles:

• Data minimisation: only collect and keep what is necessary for defined purposes.
• Defined retention: each class of data has a documented retention period.
• Secure deletion: when data is no longer required, it is securely deleted or irreversibly anonymised, including from backups when their retention period expires.
• Legal and contractual compliance: retention and deletion always respect applicable law and contractual obligations.

1.4 Retention Rules (Specific)

PC LAB LTD maintains a data retention schedule that, as a minimum, includes the following rules:

• Customer web content and configuration (websites, databases associated with hosting):
  • Retained while the service is active.
  • After termination, retained for 15 days to allow limited recovery or dispute handling, then securely deleted from live systems.
• Backups (containing customer service data, including web and email content):
  • Backup sets are retained for 30 days.
  • When backup sets reach 30 days, they are automatically expired and deleted or rendered inaccessible (for example, through secure deletion or key destruction).
• Customer invoices, contract records, and billing information:
  • Retained for 6 years from the end of the relevant financial year, to comply with tax and accounting requirements and for the establishment, exercise, or defence of legal claims, after which they are securely deleted or archived in anonymised form.
• Security and access logs:
  • Retention periods are set to what is necessary for security monitoring, incident investigation, and compliance and are typically shorter than invoice retention; after expiry they are deleted or pseudonymised.

The detailed retention schedule is maintained separately and approved by management.

2. Policy on Service Suspension and Termination

Document ID: ISMS‑POL‑SST‑001

2.1 Suspension of Services

PC LAB LTD may temporarily suspend services in situations such as:

• Non‑payment or serious overdue balances under the contract.
• Security incidents, abuse, or breach of acceptable use terms.
• Legal or regulatory requirements (for example, court orders).

During suspension:

• Customer data and configuration remain in place but may not be accessible to the customer until the issue is resolved.
• No changes are made to live content except where necessary for security or legal compliance.​

2.2 Termination of Services

When a contract or service is terminated (by the customer or PC LAB LTD):

• Access to the hosted services is revoked at the end of the notice/contract period.
• Customer web content and email content are retained on live systems only for the defined post‑termination period of 15 days, then securely deleted, subject to any legal holds or disputes.
• Data contained in backups is retained for 30 days as part of the backup cycle and then deleted or rendered inaccessible when the backup set expires.
• Domain names registered by or through PC LAB LTD are handled in line with domain registration terms; if the customer does not renew or transfer a domain, it may expire or remain under PC LAB LTD’s control according to registrar rules and contractual terms.

3. Data Deletion Standards

Document ID: ISMS‑POL‑DEL‑001

3.1 Deletion Triggers

PC LAB LTD defines deletion triggers in line with ISO 27001 Annex A 8.10:

• End of contract or service termination plus 15 days for live content and 30 days for associated backups, unless a longer period is required by law or an active dispute.
• Expiry of a documented retention period in the retention schedule (for example, 6 years for invoices and billing records).
• Valid GDPR or equivalent “right to erasure” requests, where no overriding legal basis requires further retention.

3.2 Deletion Methods

Deletion methods are selected according to the type and sensitivity of data and the storage medium:

• Application‑level deletion or anonymisation for data in live systems (removing or pseudonymising user content, mailbox data, and configuration once the 15‑day period has elapsed).
• Secure wipe, crypto‑erasure, or physical destruction for storage media at end of life or reuse.
• Backup expiry after 30 days: data in backups is deleted when backup sets age out in line with the 30‑day backup retention policy, or rendered inaccessible through key destruction where applicable.

PC LAB LTD records evidence of deletion where appropriate (for example, system logs, tickets, or certificates of destruction for media handled by third‑party suppliers).

4. Customer Email Data After Termination

For hosted email services operated by PC LAB LTD:

• While the service is active, email content and metadata are processed only for providing the service, security, and maintenance.
• After termination, email mailboxes and related content are retained on live systems for 15 days (for limited recovery or dispute purposes) and then securely deleted; any remaining copies in backups follow the 30‑day backup retention and expiry process.
• PC LAB LTD does not keep customer email content indefinitely after services end. Limited non‑content records (such as account identifiers, invoices, and logs necessary for security or legal obligations) may be retained for up to 6 years or other legally required periods as defined in the retention schedule.

Where required by law (for example, GDPR), PC LAB LTD will respond to valid data‑subject requests for access, portability, or erasure, subject to any legal grounds to retain certain information (such as tax and accounting obligations or defence of legal claims).

5. Roles, Responsibilities, and Review

• Management of PC LAB LTD approves these retention periods (15 days for live content after termination, 30 days for backups, 6 years for invoices and billing records) and ensures they reflect legal and contractual requirements.
• The Information Security Manager (or equivalent role) maintains these policies and coordinates implementation across technical teams.
• Technical staff implement the retention and deletion rules in systems, backups, and procedures, and keep appropriate records as evidence for audits.
• These policies are reviewed at least annually or when there are significant changes to law, technology, or business operations.