GDPR: DATA PRIVACY NOTICE FOR CLIENTS

 

KND Surveys Ltd is committed to protecting and respecting your privacy.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.  

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).

 

  1. Definitions

Data controller - A controller determines the purposes and means of processing personal data.

Data processor - A processor is responsible for processing personal data on behalf of a controller.

Data subject – Natural person

Categories of data: Personal data and special categories of personal data

Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.

Special categories personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.

Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

  1. Who are we?

KND Surveys Ltd is the data controller. This means we decide how your personal data is processed and for what purposes. For all data matters our Data Representative is Mr. N Davies at KND Surveys Ltd, 74 Watchet Lane, Holmer Green, High Wycombe, Bucks HP15 6UG. Phone 01494718453. Email nigel.davies@kndsurveys.com.

 

  1. The purpose(s) of processing your personal data

We use your personal data for the following purposes:-

 

  • Preparing a fee quotation for survey work as requested by you
  • Completing the survey work you have instructed us to carry out on your behalf
  • To maintain our accounts and records

 

        4. The categories of personal data concerned

With reference to the categories of personal data described in the definitions section, we might process the following categories of your data:

Name

Business Address

Business Phone Number

Business Email Address

Business IP Address

Business Bank Details

Gender

We have obtained your personal data from the contact information you have given us via:-  email, phone conversation, our website or a third party acting on your behalf.

 

      5. What is our legal basis for processing your personal data?

  1. Personal data (article 6 of GDPR)

 

Our lawful basis for processing your general personal data:

Consent of the data subject;

 

 

X Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract

Preparation of a fee proposal

Completion of a Survey as instructed by you

To Maintain Our Accounts and Records

Processing necessary for compliance with a legal obligation

 

 

Processing necessary to protect the vital interests of a data subject or another person

 

 

Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

 

Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject

 

 

 

  1. Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared only with third party suppliers or consultants specifically requested by you.

 

  1. How long do we keep your personal data?

We keep your personal data indefinitely as necessary in order to undertake the survey project or projects you instruct us to carry out on your behalf and in case of any legal claims/complaints.

 

  1. Providing us with your personal data

You are under no statutory or contractual requirement or obligation to provide us with your personal data. But failure to do so will mean we would not be able to provide a fee proposal or undertake survey work on your behalf.

 

  1. Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

 

  • The right to request a copy of the personal data which we hold about you;
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary to retain such data;
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).

 

  1. Transfer of Data Abroad

We do not transfer personal data outside the EEA.]

 

  1. Automated Decision Making

We do not use any form of automated decision making in our business.

 

  1. Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

 

  1. Changes to our privacy policy

Any changes we may make to our privacy policy in the future will notified to you by e-mail. How to make a complaint

To exercise all relevant rights, queries or complaints please in the first instance contact our Data Representative Mr. N Davies.

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.

 

 __________________________________________________________________________________________________________

  

 

GDPR: SUBJECT ACCESS REQUEST POLICY

 

  1. Introduction

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).

Upon receipt of a request for information our internal policy is as follows:

 

  1. Responsibility

Mr. N Davies, our Data Representative, is responsible for the handling of Subject Access Requests (SAR) in our business.

The duties of the Data Representative include but are not limited to:

  • Log the receipt and fulfilment of all requests received from a data subject/the person making the request/ requestor to see his or her personal information.  
  • Acknowledge the subject access request (SAR).
  • Verify the identity of any person making a SAR.
  • Maintain a database on the volume of requests and compliance against the statutory timescale.
  • Verify whether if we are the controller of the data subject’s personal data.
  • Check if we are not a controller, but rather a processor. If so, inform the data subject and refer them to the actual controller. This needs to be recorded in writing.
  • Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the requestor.
  • Decide if an exemption applies.
  • If a SAR is submitted in electronic form, any information should preferably be provided by electronic means as well.

 

  1. Oral or written requests

Subject access requests can be made in writing, electronically or verbally.

If a member of staff is in any doubt if a certain situation has given rise to a SAR, contact the Data Representative by email providing full details of the incident. Staff should do this without delay and certainly within two business days.

Where a member of staff receives a subject access request, they must email the relevant information to the Data Representative, nigel.davies@kndsurveys.com without delay and certainly within two business days.

 

  1. How do we verify the requestor’s identity?

The requestor must supply valid evidence to prove their identity.

We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.

We accept the following forms of identification:

 

  • Copy of or Current UK/EEA Passport or UK Driving Licence
  • Copy of Financial Statement issued by bank, building society or credit card company.
  • Copy Utility bill for supply of gas, electric, water or telephone landline.

 

  1. How to process the request

Our aim is to determine what information the requestor is asking for. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.

We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly.

We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.

Any employee, who receives a request from the Data Representative to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.

The Data Representative should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.

All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.

 

  1. No charge to comply with the request (with exceptions)

We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. We understand that this does not mean that we can charge for all subsequent access requests.

Where applicable, the Data Representative will determine the ‘reasonable fee’ that must be based on our administrative cost of providing the information.

 

  1. Excessive, manifestly unfounded or repetitive requests

Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. The Data Representative will make a decision on this.

The Data Representative must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.

 

  1. Complex requests

As stated we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days.

Where we decide not take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.

 

  1. Our response to the requestor

After processing the SAR, our response to the requestor should include:

 

  • The purpose(s) the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
  • The envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • The right to lodge a complaint with the ICO;
  • If the data has not been collected from the data subject: the source of such data;
  • The existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the requestor.

 

  1. How to handle exemptions?

If a member of staff believes that we have a valid business reason for an exemption, please inform the Data Representative without delay by email to nigel.davies@kndsurveys.com.  

Exempt information must be redacted from the released documents with an explanation of why that information is being withheld.

 

  1. Complaints

Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.

 

  1. Breach statement

Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.

 

Privacy Policy