As a business, we take our data protection obligations very seriously and have prepared this policy in order to explain:
This policy has been prepared in order to meet the transparency requirements set out in Articles 13/14 of the General Data Protection Regulation (GDPR). If you have any questions regarding this policy or our practices, please contact us. You’ll find our contact details at the end of this policy.
We may update this policy from time to time and will publish any updates on our website or otherwise communicate such updates to our clients.
Kidd Aitken Legal Marketing Limited (‘we’ or ‘us’) is a company incorporated and registered in England and Wales (company number 09678198), with its registered office at Kemp House, 152-160 City Road, London, England, EC1V 2NX.
We act as a ‘data controller’ for the purposes of the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and any subsequent UK data protection legislation and also act as a ‘data processor’ on behalf of third party clients, as described in this policy.
The person with overall responsibility for our data protection compliance is Caroline Triggle, with oversight from our Board of Directors.
We are registered with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You can find out more about the ICO at ico.org.uk.
As a data controller, we will process personal information relating to:
This personal information will consist of information these parties provide to us themselves and information obtained from third party sources (e.g. where we conduct a credit search, criminal record check, or obtain other references).
As a data processor, we will process personal information provided by our clients relating to their business, which may include personal data pertaining to their own clients and relating to the work they have been engaged in. We will only process such personal information in accordance with our written contract with such clients and their lawful instructions.
The personal information we process will vary depending on the type of individual and the nature of our business relationship. As a data controller, we will routinely process the following categories of personal information:
For employees, workers, agents, consultants and applicants for such roles:
We may process ‘special’ categories of data in relation to employees, worker, agents, consultants and applicants for such roles, such as ethnic origin, trade union membership, physical or mental health, and/or criminal record history. We will only do so subject to your explicit consent and/or as otherwise described in our employment policies and procedures.
For clients and prospective clients, as well as those who contact us and register for events/information:
Our clients and prospective clients will typically be bodies corporate as opposed to natural individuals. Nevertheless, we will process personal information relating to named individuals representing those clients and prospective clients, which will typically include:
Where a client or prospective client is a natural individual, we will also process the following:
For suppliers, contractors, partners and other businesses we work and collaborate with:
Our suppliers and other business partners will typically be bodies corporate as opposed to natural individuals. Nevertheless, we will process personal information relating to named individuals representing those businesses, which will typically include:
Where a supplier or business partner is a natural individual, we will also process the following:
In the performance of our services to our clients, we will potentially have access to personal information pertaining to their own clients (or representatives acting on behalf of those clients), which we will only use as necessary for the performance of our services and otherwise in accordance with any lawful instructions provided by a client.
Our clients will be responsible for ensuring that they have a lawful basis for disclosing such personal information to us and will be primarily responsible for the processing of such personal information. This personal information will be subject to our respective client’s privacy practices and policies.
If we receive a query or request from an individual whose data we are processing on behalf of a client, we will refer it to the relevant client for them to address in line with their own policies and procedures.
The data protection laws provide several lawful bases for processing personal information as a data controller. We may process personal information for a variety of reasons, including because:
In some instances, we will rely on your consent to process personal data and where we do this, it will be flagged to you at the time.
Our main processing activities for personal data, and the legal basis on which we perform those activities are:
Employees, workers, agents, consultants and applicants for such roles:
We will process applicant personal information on the basis that there is a legitimate business interest in doing so. We may also process such personal data in order to comply with a legal obligation (for example, in order to comply with ‘right to work’ and/or criminal record checking requirements).
We will process employee, worker etc. personal information as necessary to administer and manage our working relationship, including for the purposes of management, progress and performance review, safeguarding and care, and payroll, on the basis that the processing is necessary for the performance of our contract with you or, in some limited cases, in order to comply with a legal obligation and/or it is in our legitimate business interests to do so.
Prospective clients and those who contact us:
We will process your personal data in order to contact you in relation to our services and keep a record of our communications (e.g. telephone calls, quotations and offers).
Where you register to receive our newsletter or attend an event, you will have consented to receive related communications from us. More generally, our legal basis for processing personal information in this context shall be our legitimate interests, which allows us to market our products and services provided that there is a business case for doing so and our interests do not override the rights of the individuals in question. We will only contact individuals acting in a business capacity.
If you wish to object to direct marketing, you may do so by contacting us.
Clients:
We will process your personal data in order to provide our products/services to you and to provide you with information and updates regarding the same. Our legal basis for doing so is that the processing is necessary for the performance of a contract. We will also keep a record of your data and use it for related purposes, including account management, customer support, and audit purposes, on the basis that we have a legitimate interest in doing so.
Suppliers and business partners etc.:
We will process your personal information in order to receive goods and/or services from you and to manage our relationship, including making payments to you, dealing with accounts issues, etc. Our legal basis for doing so will typically be that the processing is necessary for the performance of a contract.
Monitoring and recording communications:
We may monitor and record communications we receive and send (such as telephone conversations and emails) for the purpose of training, fraud prevention, and/or quality assurance. We may also retain copies of communications and details provided to us, for example support requests, account queries, complaints, for internal account management and auditing purposes. This is done on the basis of our legitimate interests.
Credit checking:
We may conduct credit checks:
Our search will be recorded on the files of the credit reference agency.
If you provide false or inaccurate information to us and we suspect fraud, we will record this.
We store your personal information on third party servers (Microsoft as at the date of this policy), based in the UK/EEA.
We routinely use the following third party providers, who may store elements of your personal data in order to provide services to us:
We may also disclose your personal information to:
We will use technical and organisational measures to safeguard your personal information, for example by storing your personal information on secure servers, maintaining appropriate physical and technical security measures, and providing appropriate training and awareness to our employees.
If you are resident in the UK/EEA, we will routinely process your personal information within the UK. However, we do have employees and representatives based in other territories and those employees may access and use such personal information in the performance of their duties.
If you are based outside of the UK/EEA, your personal information may be processed in the territory in which you are based where we have a local representative, though in most cases your personal information will be stored and processed by us in the UK.
Where we do transfer personal information, we will ensure that appropriate safeguards are in place in accordance with data protection legislation.
We keep your personal information for as long as we need to for the purposes for which it was collected or (if longer) for any period for which we are required to keep personal information to comply with our legal and regulatory requirements.
If you are looking for more specific information regarding how your personal information is retained and how/when it is deleted, please contact us.
No, we do not make any automated decisions, including profiling, within the meaning of Article 22 of the GDPR.
You are responsible for ensuring that information you provide to us is accurate, complete and up-to-date. You can review and change your information by contacting us.
You have a number of rights in relation to your personal data. These include the right to:
Some of the above rights are subject to exclusions, which we may rely on if applicable. We will inform you if we intend to do so.
If you would like to exercise any of your rights or find out more, please contact us.
Please contact us if you have any questions about this privacy policy or the information we hold about you.
If you wish to contact us, please send an email to contact@kiddaitken.com or write to us at Kidd Aitken Legal Marketing Ltd, Kemp House, 152-160 City Road, London, England, EC1V 2NX.