Kempton Carr Croft (“We”) are committed to protecting your data and respecting your privacy in accordance with the European General Data Protection Regulation (2016/679) (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
This notice sets out the basis on which any personal data provided to us will be processed by us. In this document, the words ‘you’ and ‘your’ refer to anyone whose personal data we process. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purpose of GDPR, the data controller is Kempton Carr Croft of Chatsworth House, 29 Broadway, Maidenhead, Berkshire, SL6 1LY.
What is your relationship with us?
The type of data we collect and the way we process it depends on your relationship with us. You may fall into one or more of the following categories. Please click the links below to see the relevant appendices for information about the type of personal data processed, how it is processed and under what lawful basis.
How Long Do We Keep Your Data?
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
With Whom Do We Share Your Data?
We do not share your data with any third party except for:
- Agents selected by you and for whom you have given prior consent for us to share personal information;
- Any third party in order to meet our legal and regulatory obligations including statutory or regulatory bodies, law enforcement agencies, credit reference agencies;
- Third parties and agents (including their sub-contractors) who provide services to us in order that we may enter and carry out our contracts.
- Any third party in the context of actual or threatened proceedings provided we can do so lawfully; and
- Third parties to whom we sell or negotiate to sell our business or assets.
These third parties only process your personal data for specified purposes agreed with us. They are bound by the same data protection regulations as we are.
Further detail of the types of third party we use is provided in the sections dealing with each of the above categories.
Do we transfer personal data outside of the European Economic Area (EEA)?
We do not transfer your data outside of the EEA. However some of our third party data processors may process data in data centres located outside the EEA. We take steps to ensure that in such cases appropriate measures and controls are in place to protect your personal information in accordance with the applicable data protection laws and regulations in the UK.
We will not use your personal data to send you marketing communications except in the following circumstances:
- You have given consent;
- You work for a company and we would like to send the company information about our services which we think might be of interest to the company; or
- We are sending literature by post.
- In all these situations you are able to opt out of receiving further communications.
We don’t currently use automated individual decision-making or profiling methods but we may introduce it in the future. If at any point this is introduced, you will be given the option to opt out.
The security and storage of your personal information is very important to us.
The personal data we collect from you is stored on secure servers, protected through a combination of physical and electronic access controls, firewall technology and other security measures.
We and our data processors have measures in place to guard against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Our business is Cyber Essentials certified and all the payment card processing carried out by Payment Express on our behalf is in compliance with PCI DSS.
We do not, however, have any control over what happens between your or your agent’s device and the boundary of our information infrastructure and cannot guarantee the security of data transmitted to us which is done at your own risk.
Individuals’ Rights Regarding the Personal Data Processed by Us
Under certain circumstances, by law you have the following rights:
You have the right to request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
You have the right to request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
You have the right to request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to Processing
You have the right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Restriction of Processing
You have the right to request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Transfer of Data
You have the right to request the transfer of your personal information to another party.
If you would like to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Finance Director by email at email@example.com or by letter at the above address. You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent to marketing communications, please email your request to firstname.lastname@example.org or you can manage your email preferences online at http://web.kemptoncarr.co.uk/cn/awjru/manageyourpreference. You also have the option to manage your email preferences at the bottom of any marketing email we send you.
For other requests to withdraw consent, please contact the Finance Director at email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Our nominated representative for the purpose of the Regulation is the Finance Director, Mrs Jane Holmes, who can be contacted by email at firstname.lastname@example.org or by letter at Chatsworth House, 29 Broadway, Maidenhead, Berkshire, SL6 1LY.
If you have any complaints about the way we use your personal data please contact the Finance Director at email@example.com who will try to resolve the issue. If we cannot resolve any issue, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues: www.ico.org.uk.
Changes to the privacy notice and your data
This version was last updated on 24 May 2018.
We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.
It is important that the personal data we hold about you is accurate and current. Please keep us informed, where relevant, if your personal data changes during your relationship with us.