Data Protection Policy
Introduction.
Here at Kiltti, we will always try to make our policies as clear and as readable as we can. We would like our policies to be understood by all those who are interested in finding out about them.
Most policies can be summarised in a few paragraphs but, unfortunately, that’s not really the case with data protection. This is because there is data protection legislation to protect people’s personal information and, amongst other things, it requires organisations to set out what they’re doing to comply with it.
Kiltti takes the protection of personal information seriously. Kiltti is registered as a data controller with the ICO (reg. no. ZB069360) and, despite not being required to do so, has volunteered a representative as a Data Protection Officer (DPO). The DPO details can be found on the ICO’s website, Kiltti’s website in its Privacy Notice, and at the end of this policy document.
This policy, coupled with the Privacy Notice, is intended to meet Kiltti’s obligations under relevant data protection legislation. Kiltti is a UK-based company and abides by all UK laws.
The legislation requires anyone who asks for an individual’s personal information to tell that individual why they are asking for it, what they will do with it, and how they will keep that information safe.
Kiltti does not subscribe to the view that a person’s personal information is something that should be bought and sold, as a commodity in an open market, and certainly not without their knowledge or permission. This was done for many years and, until the introduction of data protection legislation, people had little control over how their information was being used, stored or transferred.
As a general rule, if a company’s main service (e.g. web search engine, social media platform) is free, then the personal information you have given them is being used and/or sold for profit.
Some people are quite happy for their information to be used in this way, but the legislation now requires organisations to have one or more legitimate reasons for having a person’s information and their consent to use it in other ways (e.g. marketing, statistical analysis, selling to advertisers) than the original purpose. The legislation also requires organisations to inform those people what that legitimate reason is.
At Kiltti, the legitimate reasons for us to have a person’s personal information fall into three main categories: consent, contract, and legal obligation. These reasons are set out in Article 6(1) (a), (b) and (c) of the UK GDPR.
Many people will have heard the term ‘GDPR’ but not know what it means. Before we continue, we think it would be useful to define some of the terms we use in this policy.
Definitions.
Cookie - A cookie is a small data file stored on an individual’s internet browser. Cookies are a way for websites to remember information about your browsing activity. They make the web experience for an individual more personal by creating something like an individual behavioural profile, which is used by organisations and sites to decide what kind of content is shown to them.
Criminal records data - means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.
Data Controller - the person or organisation that determines the means and the purpose of processing the personal data.
Data Processor – the person or organisation that performs any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction.
Data Protection Act 2018 -
Data Protection Legislation - includes (i) the Data Protection Act 2018, (ii) the UK General Data Protection Regulation (UK GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the UK GDPR is effective in the UK, and the E-Privacy Directive (and its proposed replacement), once it becomes law.
Data Protection Officer (DPO) - DPOs monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
Data Subject - a living individual. This is the technical term for the living individual whom particular personal data is about but here at Kiltti we have used the term ‘person’ instead.
DPA 2018 – Data Protection Act 2018 – the legislation in the UK which covers data protection, privacy and electronic communications. This was an update of the Data Protection Act 1998, and incorporated all the relevant clauses of the EU’s GDPR.
E-Privacy Directive - One of the lesser-known data protection acts in place to protect user security. It is a European Union Directive, also known as the EU Cookie Law. Adopted in May 2011, the directive covers and includes non-personal data and has a focus of keeping communications confidential. So, in that respect, it’s not the same as the GDPR.
The Directive specifically covers electronic communications. In short, it requires organisations to gain consent from website visitors in order to store or retrieve any information from a digital device.
Like the GDPR, the E-Privacy Directive is an EU directive but is governed in the UK by the ICO.
GDPR – the General Data Protection Regulations introduced by the EU in 2016 to harmonise data privacy laws across members of the European Economic Area. It became applicable in 2018. Each state was to reinforce these regulations with the adoption of their own laws – hence the UK’s Data Protection Act 2018. The UK’s withdrawal from the EU has resulted in some adjustments to the GDPR, and these are incorporated into the UK’s version now called UK GDPR.
HMRC – Her Majesty’s Revenue & Customs is the department of the UK Government responsible for, amongst other things, the collection of taxes.
Information Commissioner’s Office (ICO) - The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Legitimate reason - the legal basis for collecting personal information which includes: consent; the performance of a contract; compliance with a legal obligation; protection of the vital interests of the data subject; the performance of a task carried out in the public interest, or; the purposes of the legitimate interests pursued by the data controller
.
Person – a living individual. For the purposes of the GDPR, a data subject (see above).
Personal data - any information that identifies a living individual (data subject) either directly or indirectly. What this means, essentially, is that if anyone can work out who the data refers to, then it’s personal data. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.
Personal information – personal data. Kiltti prefers to use ‘information’ rather than ‘data’ when referring to individuals; it just feels a little more human.
Processing - is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction.
Special categories of personal data - this includes any personal data which reveals a data subject’s: ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, sex life or sexual orientation.
Specific, affirmative action - in the case of GDPR, this means knowingly and clearly giving your consent to allow a company to have and use your information, by performing a positive action e.g., by ticking a box, or clicking an ‘I agree’ button on a website; merely utilising a service is not really considered to be specific enough.
UK GDPR – With effect from 1st January 2021, the UK ceased to be part of the EU and hence the EU GDPR also ceased to protect the rights and freedoms of UK citizens in matters relating to their personal data. Along with updating the DPA 2018, the UK Government revised the EU GDPR to produce the UK GDPR.
Collecting and processing personal information.
Kiltti is committed to the principles of Article 6 of the UK GDPR. This means that Kiltti will ensure that any personal information is:
-
processed fairly, lawfully and in a transparent manner;
-
collected for specified, explicit and legitimate purposes and not used in ways which are incompatible with those purposes;
-
adequate, relevant and limited to what is necessary to fulfil the purpose the information was provided for;
-
accurate and, where necessary, kept up to date;
-
not kept in a form which would allow a person to be identified for longer than is necessary;
-
processed in a manner that ensures appropriate security of the information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Legitimate reasons for collecting and processing personal information.
Kiltti is committed to the principles of Article 6 of the UK GDPR. This means Kiltti must have one or more legitimate reasons to ask for, and store, personal information. In Kiltti’s case, these reasons will mostly come under three categories: consent, contract or legal obligation.
Irrespective of the category, Kiltti’s policy is to collect and process the minimum amount of personal information to allow us to fulfil the service required.
-
Consent -This is where you volunteer information to us. For example, you might be interested in receiving free resources or information from us, even if you’re not an existing customer of Kiltti’s. By letting us know who and where to send it to, you are giving us your permission to process some of your personal details. Under this category, you have the right to withdraw your permission at any time.
-
Contract - This is where the information is required for us to meet our contractual obligations to you. For example, we will not be able to coach you if we don’t know who you are.
-
Legal obligation - This is where we need to store the information for legal reasons. For instance, Kiltti has an obligation to store and maintain information for taxation purposes; HMRC takes a very dim view of poor and incomplete record-keeping.
Rights of the data subject.
Kiltti is committed to the principles of Articles 12 to 22 of the UK GDPR, which deal with the rights of the person whose information is collected and stored. These rights include, but are not limited to, the:
-
Right of access – this is the right to ask us for copies of the personal information we hold.
-
Right to rectification - this the right to ask us to rectify information that is inaccurate. It is also the right to ask us to complete information that is incomplete.
-
Right to erasure – this is the right to ask us to erase personal information in certain circumstances.
-
Right to restriction of processing – this is the right to ask us to restrict the processing of personal information in certain circumstances.
-
Right to object to processing – this is the right to object to the processing of personal information in certain circumstances.
-
Right to data portability – this is the right to ask that we transfer the information volunteered to us to another organisation, or to the person, in certain circumstances.
There is no requirement to pay any charge for exercising these rights. If Kiltti receives a request, we have one month to respond. It is Kiltti’s policy to respond sooner than this, as long as it is practicably possible.
Please contact our Data Protection Officer if you wish to make a request.
Data protection officer.
Kiltti’s Data Protection Officer can be contacted as follows:
By post: Data Protection Officer, Kiltti Ltd, Units 4 & 5 Brightwell Barns, Waldringfield Road, Brightwell, Ipswich, IP10 0BJ
By email: danbristow@gmail.com
By phone: 07964040210