GDPR: DATA PRIVACY NOTICE FOR CLIENTS
KND Surveys Ltd is committed to protecting and respecting your privacy.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller - A controller determines the purposes and means of processing personal data.
Data processor - A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data - The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
KND Surveys Ltd is the data controller. This means we decide how your personal data is processed and for what purposes. For all data matters our Data Representative is Mr. N Davies at KND Surveys Ltd, 74 Watchet Lane, Holmer Green, High Wycombe, Bucks HP15 6UG. Phone 01494718453. Email nigel.davies@kndsurveys.com.
We use your personal data for the following purposes:-
4. The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we might process the following categories of your data:
Name
Business Address
Business Phone Number
Business Email Address
Business IP Address
Business Bank Details
Gender
We have obtained your personal data from the contact information you have given us via:- email, phone conversation, our website or a third party acting on your behalf.
5. What is our legal basis for processing your personal data?
Our lawful basis for processing your general personal data:
☐ Consent of the data subject; |
|
X Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract | Preparation of a fee proposal Completion of a Survey as instructed by you To Maintain Our Accounts and Records |
☐ Processing necessary for compliance with a legal obligation |
|
☐ Processing necessary to protect the vital interests of a data subject or another person
|
|
☐ Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
|
|
☐ Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject |
|
Your personal data will be treated as strictly confidential, and will be shared only with third party suppliers or consultants specifically requested by you.
We keep your personal data indefinitely as necessary in order to undertake the survey project or projects you instruct us to carry out on your behalf and in case of any legal claims/complaints.
You are under no statutory or contractual requirement or obligation to provide us with your personal data. But failure to do so will mean we would not be able to provide a fee proposal or undertake survey work on your behalf.
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
We do not transfer personal data outside the EEA.]
We do not use any form of automated decision making in our business.
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
Any changes we may make to our privacy policy in the future will notified to you by e-mail. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our Data Representative Mr. N Davies.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
__________________________________________________________________________________________________________
GDPR: SUBJECT ACCESS REQUEST POLICY
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).
Upon receipt of a request for information our internal policy is as follows:
Mr. N Davies, our Data Representative, is responsible for the handling of Subject Access Requests (SAR) in our business.
The duties of the Data Representative include but are not limited to:
Subject access requests can be made in writing, electronically or verbally.
If a member of staff is in any doubt if a certain situation has given rise to a SAR, contact the Data Representative by email providing full details of the incident. Staff should do this without delay and certainly within two business days.
Where a member of staff receives a subject access request, they must email the relevant information to the Data Representative, nigel.davies@kndsurveys.com without delay and certainly within two business days.
The requestor must supply valid evidence to prove their identity.
We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.
We accept the following forms of identification:
Our aim is to determine what information the requestor is asking for. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.
We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly.
We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.
Any employee, who receives a request from the Data Representative to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.
The Data Representative should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.
All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.
We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information. We understand that this does not mean that we can charge for all subsequent access requests.
Where applicable, the Data Representative will determine the ‘reasonable fee’ that must be based on our administrative cost of providing the information.
Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. The Data Representative will make a decision on this.
The Data Representative must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.
As stated we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days.
Where we decide not take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.
After processing the SAR, our response to the requestor should include:
If a member of staff believes that we have a valid business reason for an exemption, please inform the Data Representative without delay by email to nigel.davies@kndsurveys.com.
Exempt information must be redacted from the released documents with an explanation of why that information is being withheld.
Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.
Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.
TERMS AND CONDITIONS
REVIEWED June 2021
‘SURVEYOR’ | means KND Surveys Limited |
‘CLIENT’ | means the person, firm, company or organisation that issues the instruction. |
‘CONTRACT’ | means the agreement between Surveyor and the Client, along with any relevant specifications, drawings and other documents supplied by the client or their consultants and includes these terms and conditions.
|
‘FEE’ | means the agreed fee payable to the Surveyor by the Client for completing the work detailed in the Contract and as detailed in the Surveyor’s fee proposal.
|
‘INSTRUCTION’ | means the written acceptance by the Client of the Surveyors fee for carrying out the work agreed in the Contract.
|
‘PURPOSE’ | means the use that the Client will make of the work as specified in the Contract.
|