Last updated 18th May 2018, in accordance with the requirements of the General Data Protection Regulation (GDPR).
We are Kingshill MC Ltd. Our contact and other details are set out at the end of this policy. We are the data controller in relation to the personal data processed in accordance with this policy (except where this policy explains otherwise)
We may collect and process personal data if you are a client or ours (or you work for a client of ours).
We may collect your individual contact information to enable us to communicate with you in relation to the provision of services by us (for example, in relation to the management and administration of the provision of the relevant services) and other personal information relating to you to in the course of providing the services concerned (for example, bank account or other financial details, personal description and photograph and other information relating to you that is included in any communications between us and you or anyone you work with in the course of provision of the services).
If you are invited to, or attend, an event organised or managed by us we may collect your individual contact and related information (as well as that of anyone who is attending the event with you) as necessary to enable you and any other relevant individuals to be invited to, and to attend, the event and to facilitate your attendance (for example, dietary or special access requirements).
If you are a respondent to any survey, research, interview or other enquiry carried out by us we may collect personal information from you as part of surveys or other research carried out by us. We will normally provide you at the time with more detailed information about how we will process the personal information concerned **
If we wish to send you advertising, marketing or promotional material we may collect your individual contact details in order to send you direct marketing material in order to advertise, market or promote our services (either to you or the person that you work for, as appropriate).
WHERE WE PROCESS YOUR PERSONAL DATA
We normally process personal data only in the UK or elsewhere in the EU.
Where personal data is transferred in relation to providing our services we will take all steps reasonably necessary to ensure that it is subject to appropriate safeguards, such as relying on a recognised legal adequacy mechanism which may include by entering into EC approved standard contractual clauses relevant to transfers of personal information – see:
SECURITY OF YOUR PERSONAL DATA
All personal data processed by us is stored securely (the level of security being appropriate to the nature of the data concerned and the other relevant circumstances). Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or systems, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website and any transmission is at your own risk. Once we have received your information, we will use appropriate procedures and security features to try to prevent unauthorised access.
WHO WE SHARE YOUR PERSONAL DATA WITH
We may where appropriate share your personal data with appropriate third parties including:
our business partners, customers, suppliers and sub-contractors for the performance of any contract we enter into or other dealings we have in the normal course of business with you or the person that you work for;
our auditors, legal advisors and other professional advisors or service providers;
We do not sell, rent or exchange your personal information with any other third party for commercial reasons.
OTHER DISCLOSURES WE MAY MAKE
We may disclose your personal data to third parties:
•If we or substantially all of our assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
•If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements with you or the person that you work for; or to protect the rights, property, or safety of our business, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of child protection, fraud protection, or credit risk reduction.
THE LEGAL BASIS FOR OUR PROCESSING OF PERSONAL DATA
The legal basis on which we process your personal data is as follows:
•Where it is necessary to obtain your prior consent to the processing concerned in order for us to be allowed to do it, we will obtain and rely on your consent in relation to the processing concerned (in relation to any processing we are carrying out with your consent, see below for how to withdraw your consent).
•Otherwise, we will process your personal data where the processing is necessary and legitimate:
For the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract;
For compliance with a legal obligation to which we are a subject; or
For the purposes of the legitimate interests pursued by us or another person, provided that this will only be in circumstances in which those legitimate interests are not overridden by your interests or fundamental rights and freedoms which require protection of personal data (most circumstances in which we process your personal data in relation to a relationship that we have with the person that you work for will fall into this category).
HOW LONG WE KEEP YOUR PERSONAL DATA
We process personal data only for so long as is necessary for the purpose(s) for which it was originally collected, after which it will be deleted or archived except to the extent that it is necessary for us to continue to process it for the purpose of compliance with legal obligations to which we are subject or for another legitimate and lawful purpose.
if a breach of security result in leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, we will assess the scope and impact of the breach. Based on the assessment of the likely risks to individuals, we will notify the individuals and/or their connected organisations that a data breach has occurred where this may result in a significant risk to the rights and freedoms of individuals, or where we may be in breach of a contractual obligation. Any such notification to individuals will be carried out as soon as reasonably possible and will include information on the nature of the breach, the name and contact details of our Data Protection representative, the likely consequences of the breach, measures taken or proposed by Kingshill MC Ltd. to address it, and recommendations for affected individuals to mitigate any potential adverse effects. Such individuals will also be provided advice on how to make a complaint to the ICO.
If, due to the nature of the breach that Kingshill required to inform the ICO, we will do so within 72 hours of becoming aware of the essential facts of the breach. Such notification must include at least: your name and contact details; the date and time of the breach (or an estimate); the date and time we detected it; basic information about the type of breach; and basic information about the personal data concerned.
YOUR RIGHT TO WITHDRAW
If you do not wish Kingshill MC Ltd to use your personal data for direct marketing of our goods and services, You have the right to withdraw your consent at any time by notifying us in writing either by email to firstname.lastname@example.org or at the following address:
HOW YOU CAN OBTAIN DATA WE HOLD ABOUT YOU
You have the right to know what information we hold on our system about you at any given time. To obtain details of the information we hold as it relates specifically to you, you may contact Kingshill MC Ltd. at the following address. When contacting us to ascertain the information we hold about you, it would be helpful if you could provide us with details of your full name, company and email address.
CONTACTING THE REGULATOR
If you have a complaint about any processing of your personal data being conducted by us, you can contact us as set out below or lodge a formal compliant with the Information Commissioner
The Information Commissioner is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data.
Kingshill MC Ltd
Registered Office: Pyle House, 136/137 Pyle Street, Newport, Isle of Wight, PO30 1JW, UK.
** EMPLOYEE AND DIVERSITY SURVEYS
In executing employee surveys on behalf of client are committed to protecting your privacy and maintaining the security of any personal information received from you. We follow strict security procedures in the storage and disclosure of information, which you may have given us, to prevent unauthorised access in accordance with stringent requirements of the General Data Protection Regulation. The purpose of this statement is to explain to you what personal information we collect and how we may use it.
Our lawful basis for processing personal data for employee engagement surveys, and diversity survey is that it is necessary for the purposes of legitimate interests pursued by the controller or a third party.
If you are completing an employee engagement survey, Kingshill’s code of confidentiality ensures that no reference to the origin of individual responses will be made in reports. This code of confidentiality also applies to free form (verbatim) comments. Your individual responses will not be made available to anyone within your company. The questions in the “Demographics” section are asked so that we can compile results for different groups within the company.
Our surveys are based on respondent anonymity. None of our surveys ask for your name, an identifying code that would identify you, or contact information.
Reports showing responses to “scale-based questions (Strongly Agree to Strongly Disagree) only breakdown to groups of 10 or more respondents. So if you are, for example, the only female based in location within a function then your responses will be grouped with other employees to give an overall result, grouped with other females to give a result by sex, grouped with others in the function to give result by function and grouped with others based in the location to give a result by location but your responses will never be reported as a standalone response.
DATA RETENTION AND HOW WE RETAIN DATA
In accordance with the GDPR, the raw survey data base shall be kept for no longer than is necessary for the purposes for which it is being processed. Raw data is generally retained for a period of 24 months after the close-date of that particular survey after which it is deleted, unless there is a legitimate reason to hold for longer such as a client intending to repeat survey and wanting to have the ability to request Kingshill MC Ltd to interrogate in order to compare trends over time. Where a client has specifically advised us that they no longer intend using our services any associated raw data base will be deleted, and not provided to any third party, even if so requested by the client or a third party acting on behalf of that client.
Any research results held in data table form do not constitutes personal data as it is aggregated at which point no individual is identified or identifiable from such data and the data no longer falls within the scope of the Act.
SECURITY OF SYSTEMS
Kingshill MC Ltd’s raw data bases are located in the UK and no personal data will be transferred outside of the EEA by Kingshill or our subcontractors.
Kingshill MC Ltd. uses systems to store personal data and therefore all reasonable precautions shall be taken to ensure that appropriate confidentiality and control procedures are in place. Kingshill cannot be held responsible for client-side breaches of data confidentiality.
Kingshill MC Ltd uses a secure industry standard service to collect survey data onine. We have a contract for services to be provided by Research.net, part of the global Survey Monkey corporation. Research.net & Survey Monkey are obliged to include, on any survey hosted on their servers, their own Privacy notice.
Revised 18th May 2018