Last updated: 23 May 2018
Who are we?
Carr Kamasa Design Ltd (CKD) provides design consultancy and marketing services. We also offer a range of design services, corporate communications, website design and branding, to businesses.
Carr Kamasa Design Ltd is a design consultancy. When we work with clients we may need to collect and process data and are therefore classified as a Data Controller by the General Data Protection Regulation (GDPR). We are committed to privacy for everyone with whom we deal with either face to face, in writing or by email, on the telephone or through our website. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. Under the EU General Data Protection Regulation (GDPR), we must comply with certain requirements which are designed to ensure that any data provided to us is processed with due care and attention. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
This data protection policy ensures Carr Kamasa Design Ltd.
- complies with data protection law and follow good practice
- protects the rights of staff, customers and partners
- is open about how it stores and processes individuals’ data
- protects itself from the risks of a data breach
Data protection law
The EU General Data Protection Regulation (GDPR) describes how organisations — including Carr Kamasa Design Ltd— must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The EU General Data Protection Regulation (GDPR) is underpinned by eight important principles.
These say that personal data must:
- be processed fairly and lawfully
- be obtained only for specific, lawful purposes
- be adequate, relevant and not excessive
- be accurate and kept up to date
- not be held for any longer than necessary
- processed in accordance with the rights of data subjects
- be protected in appropriate ways
- not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
This policy applies to:
- Carr Kamasa Design Ltd.
- all staff and volunteers of Carr Kamasa Design Ltd
- all contractors, suppliers and other people working on behalf of Carr Kamasa Design Ltd
What does this Policy Cover?
At CKD we take your personal data seriously. This policy:
- sets out the types of personal data that we collect about you
- explains how and why we collect and use your personal data
- explains how long we keep your personal data
- explains when, why and with whom we will share your personal data
- sets out the legal basis we have for using your personal data
- explains the effect of refusing to provide the personal data requested
- explains the different rights and choices you have when it comes to your personal data
- explains how we may contact you and how you can contact us.
What sort of personal data do we collect?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in our possession or likely to come into such possession. The processing of personal data is governed by the GDPR.
Carr Kamasa Design Ltd collects personal data from clients, suppliers and staff as a consequence of its role as a design consultancy. It is used for the purpose of design consultancy and advisory services such as direct client contact. We also hold data for recruitment and staff salary payment.
The data we hold consists of information for client direct contact such as name, address, telephone number and e-mail address. The employee information we hold is required by law e.g. citizenship, information from former employers and referees and also to allow the payment of salaries. We only collect sensitive personal data from you, and further process this data, where you have given your explicit consent.
From where do we collect personal data
We collect data from a range of sources including:
- directly from you. This is information you provide during the various different stages of the client consultancy or recruitment and employment process.
How do we process your personal data?
Carr Kamasa Design Ltd processes this personal data as necessary to aid the client/supplier process, the recruitment process and, for its employees, through the normal course of its business.
Carr Kamasa Design complies with its obligations under the GDPR by keeping personal data up to date or by storing and destroying it securely, by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
If you contact us, we may keep a record of your contact information and correspondence, and we may use any information you provide in your message to respond to your enquiry. We may use personal information for our business purposes, such as internal communication regarding clients, the administering of our products and services, the maintaining and securing of our infrastructure, and for procurement and financial transactions.
We may from time to time send informational e-mails, articles, white papers, proposals, engagement letters, and other information regarding our services.
We also use personal information in relation to the recruitment process to confirm references and conduct education and background checks, as appropriate.
How long will we keep your data?
Client and supplier information is maintained on our database, which is secure and accessible only to our employees. Employee’s personal information is retained for the purpose of salary payment or as otherwise required by law, and we assume that you are happy for us to retain your personal information for consideration if you are an existing client, a supplier or a member of staff unless we hear otherwise from you.
As a consequence, we will hold existing client data until we no longer work with you and after that for no longer than 3 years. Employee data will be held as required by law.
What is the legal basis for processing your personal data?
Our holding and processing of current, up to date and relevant data on our clients and staff is in the legitimate interest of Carr Kamasa Design Ltd. as a design consultancy, in that we need the information in order to be able to work with our clients on their projects.
For clients, we need to hold your data in order to perform our work with you.
What happens if your do not provide us with the information we request or ask that we stop processing your information?
If you do not provide the personal data necessary, or withdraw your consent for the processing of your personal data, we may not be able to work with you as a design consultant.
Why do we collect and process sensitive personal data?
We do not as a matter of course collect and process sensitive personal data. Where it is necessary we will secure your explicit consent.
- Everyone who works for or with Carr Kamasa Design Ltd has some responsibility for ensuring data is collected, stored and handled appropriately. Carr Kamasa Design Ltd will arrange data protection training and advice for the people covered by this policy. Each employee that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles:
- reviewing all data protection procedures and related policies
- handling data protection questions from staff and anyone else covered by this policy
- dealing with requests from individuals to see the data Carr Kamasa Design Ltd holds about them (also called ‘subject access requests’)
- checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data
- ensuring all systems, services and equipment used for storing data meet acceptable security standards
- performing regular checks and scans to ensure security hardware and software is functioning properly
- evaluating any third-party services the company is considering using to store or process data for instance, cloud computing services
- approving any data protection statements attached to communications such as e-mails and letters.
- where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
Do we pass data to third parties?
Your personal data will be treated as strictly confidential, employee’s data will only be used for the purpose of human resources and salary payment. We may also share information securely within our business for recruitment purposes. In some situations, we may conduct checks on you to verify the information you have provided. In such cases we will provide you with the name of the background checking company we use.
How is this data safeguarded?
The security of your data is extremely important to us. Access to your personal data is only provided to our staff, in order to help with the day to day running of your project and to allow us to manage our staff. We take all practicable steps to keep your data secure. However, no process that involves communication over e-mail or the Internet can be guaranteed 100% secure.
What are your rights in relation to the data we hold on you?
By law, you have the following rights with respect to your personal data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
|Rights||What does this mean?|
|1. The right to be informed||You have the right to be provided with clear,
transparent and easily understandable information
about how we use your information and your rights.
This is why we are providing you with the
information in this Policy.
|2. The right of access||You have the right to obtain access to your
information (if we are processing it), and certain
other information (similar to that provided in this
This is so you are aware and can check that we are
using your information in accordance with data
|3. The right to rectification||You are entitled to have your information corrected
if it is inaccurate or incomplete.
|4. The right to erasure||This is also known as ‘the right to be forgotten’ and,
in simple terms, enables you to request the deletion
or removal of your information where there is no
compelling reason for us to keep using it. This is not
a general right to erasure; there are exceptions.
|5. The right to restrict processing||You have rights to ‘block’ or suppress further use of
your information. When processing is restricted, we
can still store your information, but may not use it
further. We keep lists of people who have asked for
further use of their information to be ‘blocked’ to
make sure the restriction is respected in future.
|6. The right to data portability||You have rights to obtain and reuse your personal
data for your own purposes across different
services. For example, if you decide to switch to a
new provider, this enables you to move, copy or
transfer your information easily between our IT
systems and theirs safely and securely, without
affecting its usability.
|7. The right to object to processing||You have the right to object to certain types of
processing, including processing for direct marketing
(i.e. if you no longer want to be contacted with
|8. The right to lodge a complaint||You have the right to lodge a complaint about the
way we handle or process your personal data with
your national data protection regulator.
|9. The right to withdraw consent||If you have given your consent to anything we do
with your personal data, you have the right to
withdraw your consent at any time (although if you
do so, it does not mean that anything we have done
with your personal data with your consent up to
that point is unlawful). This includes your right to
withdraw consent to us using your personal data for
We usually act on requests and provide information free of charge, but may charge a reasonable fee
to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests
- further copies of the same information.
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we’ll come back to you and let you know.
Effective date amendments
This Policy is effective as of 25 May 2018. We reserve the right to change, modify, add or remove portions of this Policy at any time at our sole discretion, and will inform you if we make material changes by indicating on the Policy the date it was last updated or otherwise. When you visit the website or are engaged with us in connection with our board and executive search and assessment services, you are accepting the current version of this Policy as posted on the site at that time.
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out of the relevant purposes and processing conditions.
How will we contact you?
We may contact you by phone, e-mail or social media. If you prefer a particular contact means over another please just let us know.
How can you contact us?
To exercise all relevant rights, queries or complaints in relation to data privacy please in the first instance contact our organisation to have the matter investigated either on 02075660190 or via email at firstname.lastname@example.org. You can also contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Carr Kamasa Design Ltd
1 Poole Street
London N1 5EB
Company Number 02511448. Registered in England and Wales.