Purpose of this policy

As a business, we take our data protection obligations very seriously and have prepared this policy in order to explain:

  • the personal information we collect and receive;
  • what we do with such personal information; and
  • the legal rights that you have in connection with our processing of the personal information.

This policy has been prepared in order to meet the transparency requirements set out in Articles 13/14 of the General Data Protection Regulation (GDPR). If you have any questions regarding this policy or our practices, please contact us. You’ll find our contact details at the end of this policy.

We may update this policy from time to time and will publish any updates on our website or otherwise communicate such updates to our clients.

Who we are

Kidd Aitken Legal Marketing Limited (‘we’ or ‘us’) is a company incorporated and registered in England and Wales (company number 09678198), with its registered office at Kemp House, 152-160 City Road, London, England, EC1V 2NX.

We act as a ‘data controller’ for the purposes of the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and any subsequent UK data protection legislation and also act as a ‘data processor’ on behalf of third party clients, as described in this policy.

The person with overall responsibility for our data protection compliance is Caroline Triggle, with oversight from our Board of Directors.

We are registered with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You can find out more about the ICO at ico.org.uk.

Whose information do we process?

As a data controller, we will process personal information relating to:

  • our own employees, workers, agents and consultants and applicants for such roles;
  • our clients and prospective clients;
  • our suppliers, contractors, partners and other businesses we work and collaborate with; and
  • those who contact us, including via our website, by email, or by telephone or register for any events we organise, including webinars, or subscribe to receive updates from us.

This personal information will consist of information these parties provide to us themselves and information obtained from third party sources (e.g. where we conduct a credit search, criminal record check, or obtain other references).

As a data processor, we will process personal information provided by our clients relating to their business, which may include personal data pertaining to their own clients and relating to the work they have been engaged in. We will only process such personal information in accordance with our written contract with such clients and their lawful instructions.

Categories of personal data

The personal information we process will vary depending on the type of individual and the nature of our business relationship. As a data controller, we will routinely process the following categories of personal information:

For employees, workers, agents, consultants and applicants for such roles:

  • Name;
  • Address;
  • Age and/or date of birth;
  • Contact details (which may include your landline telephone number, mobile number, and/or email address);
  • Financial details (e.g. bank information);
  • Professional information and employment history (e.g. job title and/or type, professional qualifications, industry); and
  • Other related information.

We may process ‘special’ categories of data in relation to employees, worker, agents, consultants and applicants for such roles, such as ethnic origin, trade union membership, physical or mental health, and/or criminal record history. We will only do so subject to your explicit consent and/or as otherwise described in our employment policies and procedures.

For clients and prospective clients, as well as those who contact us and register for events/information:

Our clients and prospective clients will typically be bodies corporate as opposed to natural individuals. Nevertheless, we will process personal information relating to named individuals representing those clients and prospective clients, which will typically include:

  • Name;
  • Age and/or date of birth;
  • Contact details (which may include your business telephone number, mobile number and/or email address); and
  • Professional information (e.g. job title and/or type, professional qualifications, industry).

Where a client or prospective client is a natural individual, we will also process the following:

  • Address;
  • Age and/or date of birth; and
  • Financial details (e.g. bank information, payment card information, and/or credit history).

For suppliers, contractors, partners and other businesses we work and collaborate with:

Our suppliers and other business partners will typically be bodies corporate as opposed to natural individuals. Nevertheless, we will process personal information relating to named individuals representing those businesses, which will typically include:

  • Name;
  • Age and/or date of birth;
  • Contact details (which may include your business telephone number, mobile number and/or email address); and
  • Professional information (e.g. job title and/or type, professional qualifications, industry).

Where a supplier or business partner is a natural individual, we will also process the following:

  • Address;
  • Age and/or date of birth; and
  • Financial details (e.g. bank information and/or credit history).

Personal information we process as a data processor

In the performance of our services to our clients, we will potentially have access to personal information pertaining to their own clients (or representatives acting on behalf of those clients), which we will only use as necessary for the performance of our services and otherwise in accordance with any lawful instructions provided by a client.

Our clients will be responsible for ensuring that they have a lawful basis for disclosing such personal information to us and will be primarily responsible for the processing of such personal information. This personal information will be subject to our respective client’s privacy practices and policies.

If we receive a query or request from an individual whose data we are processing on behalf of a client, we will refer it to the relevant client for them to address in line with their own policies and procedures.

How we use your data and our legal basis for processing your data

The data protection laws provide several lawful bases for processing personal information as a data controller. We may process personal information for a variety of reasons, including because:

  • we are legally obliged to e.g. to confirm your identity;
  • the processing is necessary for the performance of the contract with you to provide our services; or
  • it is in our legitimate business interests to do so.

In some instances, we will rely on your consent to process personal data and where we do this, it will be flagged to you at the time.

Our main processing activities for personal data, and the legal basis on which we perform those activities are:

Employees, workers, agents, consultants and applicants for such roles:

We will process applicant personal information on the basis that there is a legitimate business interest in doing so. We may also process such personal data in order to comply with a legal obligation (for example, in order to comply with ‘right to work’ and/or criminal record checking requirements).

We will process employee, worker etc. personal information as necessary to administer and manage our working relationship, including for the purposes of management, progress and performance review, safeguarding and care, and payroll, on the basis that the processing is necessary for the performance of our contract with you or, in some limited cases, in order to comply with a legal obligation and/or it is in our legitimate business interests to do so.

Prospective clients and those who contact us:

We will process your personal data in order to contact you in relation to our services and keep a record of our communications (e.g. telephone calls, quotations and offers).

Where you register to receive our newsletter or attend an event, you will have consented to receive related communications from us. More generally, our legal basis for processing personal information in this context shall be our legitimate interests, which allows us to market our products and services provided that there is a business case for doing so and our interests do not override the rights of the individuals in question. We will only contact individuals acting in a business capacity.

If you wish to object to direct marketing, you may do so by contacting us.

Clients:

We will process your personal data in order to provide our products/services to you and to provide you with information and updates regarding the same. Our legal basis for doing so is that the processing is necessary for the performance of a contract. We will also keep a record of your data and use it for related purposes, including account management, customer support, and audit purposes, on the basis that we have a legitimate interest in doing so.

Suppliers and business partners etc.:

We will process your personal information in order to receive goods and/or services from you and to manage our relationship, including making payments to you, dealing with accounts issues, etc. Our legal basis for doing so will typically be that the processing is necessary for the performance of a contract.

Other processing activities

Monitoring and recording communications:

We may monitor and record communications we receive and send (such as telephone conversations and emails) for the purpose of training, fraud prevention, and/or quality assurance. We may also retain copies of communications and details provided to us, for example support requests, account queries, complaints, for internal account management and auditing purposes. This is done on the basis of our legitimate interests.

Credit checking:

We may conduct credit checks:

  • so that we can make sensible credit decisions; and
  • to prevent and detect fraud and money laundering.

Our search will be recorded on the files of the credit reference agency.

If you provide false or inaccurate information to us and we suspect fraud, we will record this.

Storage of your information and who your information might be shared with

We store your personal information on third party servers (Microsoft as at the date of this policy), based in the UK/EEA.

We routinely use the following third party providers, who may store elements of your personal data in order to provide services to us:

  • Microsoft – provides the Microsoft 365 software suite, including OneDrive for document storage, together with Sharepoint and Dynamics 365 for client and workflow management;
  • Transform Communications – provides marketing services, with access to prospective client information and details of those who register for events/information in order to assist us with our communications and event management;
  • Eventbrite – used for event registration and management; and
  • Doppler LLC – provides our electronic newsletter service.

We may also disclose your personal information to:

  • other companies within our group to the extent that there is a legitimate interest in doing so to support our business aims;
  • other agents and service providers, to the extent that they require access to the information in order to provide goods/services to us, in which case they will be bound by a contract requiring them to process personal data in accordance with the requirements prescribed by data protection law, or otherwise with their consent (and, in particular in relation to clients, it is acknowledged that information will be shared with legal directories);
  • law enforcement agencies in connection with any investigation to help prevent unlawful activity; and
  • a third party purchaser if we sell our business, in which case, customer and user information will be a transferred asset.

Keeping your data secure

We will use technical and organisational measures to safeguard your personal information, for example by storing your personal information on secure servers, maintaining appropriate physical and technical security measures, and providing appropriate training and awareness to our employees.

Transfers of your information

If you are resident in the UK/EEA, we will routinely process your personal information within the UK. However, we do have employees and representatives based in other territories and those employees may access and use such personal information in the performance of their duties.

If you are based outside of the UK/EEA, your personal information may be processed in the territory in which you are based where we have a local representative, though in most cases your personal information will be stored and processed by us in the UK.

Where we do transfer personal information, we will ensure that appropriate safeguards are in place in accordance with data protection legislation.

How long do we keep your personal information?

We keep your personal information for as long as we need to for the purposes for which it was collected or (if longer) for any period for which we are required to keep personal information to comply with our legal and regulatory requirements.

If you are looking for more specific information regarding how your personal information is retained and how/when it is deleted, please contact us.

Is there any automated decision making and/or profiling?

No, we do not make any automated decisions, including profiling, within the meaning of Article 22 of the GDPR.

What rights do you have?

You are responsible for ensuring that information you provide to us is accurate, complete and up-to-date. You can review and change your information by contacting us.

You have a number of rights in relation to your personal data. These include the right to:

  • find out how we process your data;
  • request that your personal data is corrected if you believe it is incorrect or inaccurate;
  • obtain restriction on our, or object to, processing of your personal data;
  • if we are relying on consent, you can withdraw your consent to our processing of your personal data (including any direct marketing);
  • if we are relying on legitimate interests for direct marketing, you can object to receiving such direct marketing;
  • obtain a copy of the personal data we process concerning you. We will take steps to verify your identity before responding to your request. Once we have verified your identity we will respond as soon as possible and in any event within one month.
  • lodge a complaint with the UK supervisory body, the ICO at https://ico.org.uk/. If you have a concern or complaint about the way we handle your data, we ask that you contact us in the first instance to allow us to investigate and resolve the matter as appropriate.

Some of the above rights are subject to exclusions, which we may rely on if applicable. We will inform you if we intend to do so.

If you would like to exercise any of your rights or find out more, please contact us.

How to contact us

Please contact us if you have any questions about this privacy policy or the information we hold about you.

If you wish to contact us, please send an email to contact@kiddaitken.com or write to us at Kidd Aitken Legal Marketing Ltd, Kemp House, 152-160 City Road, London, England, EC1V 2NX.