Terms of Reference
Data Protection in a Box (“us”, “we” or “our”)
Using our Services (the “Service”, “our services”)
1. Information about us
Kevin Ward IT Services Limited, trading as Data Protection in a Box, is the owner and operator of https://dataprotectioninabox.co.uk/ (our website) and any applications and/or digital channels provided by us for the purpose of accessing our website, digital media or other services.
We are a company limited by guarantee registered in England and Wales under company number 10506616. Our registered company address is: Data Protection in a Box, 10a High Street, Chislehurst, BR7 5AN.
2. Contact us
If you would like any information about Data Protection in a Box and its activities, you can contact us by email firstname.lastname@example.org. You can also write to us at; Data Protection in a Box, 10a High Street, Chislehurst, BR7 5AN.
This page informs you of our policies regarding the collection, use and disclosure of personal data when you use our Service and the choices you have associated with that data.
4. Our policy
We are committed to protecting and respecting your privacy.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our policy and practices regarding your personal data and how we will treat it.
For the purpose of compliance with UK Data Protection Law, the data controller is Kevin Ward IT Services Ltd.
5. How do we collect information?
Your personal data, any information which identifies you, or which can be identified as relating to you personally, for example, and not limited to: name, address, phone number, email address, will be collected and used by us.
We obtain personal information from you when you enquire about our services, register with us, become an employee, send or receive emails, ask a question or otherwise provide us with personal information.
We collect personal data in connection with specific activities such as:
Examples of ways that you may share your personal data with us are by:
6. What information do we collect?
The personal information we collect will depend on the nature of the data processing requirement. For example, including, but not limited to; your name, email addresses, postal addresses, telephone numbers and payment details.
Certain personal information is categorised by UK data protection law as ‘special category data’. We do not process special category data in order to provide our services.
We gather cookie data from our website, for more information we see section 3.5 Cookies.
7. How do we use this information?
Depending on your relationship with us, we will use your personal information for the following purposes:
We share your information with service providers for funding, educational needs and safeguarding purposes. We never sell your information to other organisations.
What are cookies?
Cookies are files created by websites you've visited that store browsing information, such as login information. There are two types of cookies used by this website: first-party cookies, which are set by us, and third-party cookies, which come from services provided by another supplier on our behalf.
Cookies are not dangerous and are not viruses. They are small pieces of text, not programmes, and do not cause any damage to your computer, tablet or mobile device.
We use a number of cookies across our website (see the lists below for full details). Cookies make your use of the website easier and quicker, by remembering your browser and computer settings.
Types of cookies
Strictly necessary cookies
These cookies are essential, as they enable you to move around the website and use its features, such as accessing secure areas. Without these cookies, services you've asked for can't be provided. These cookies do not gather information about you.
These cookies anonymously collect information about how you use a website, for example which pages you go to most often and if you get error messages from certain pages. These cookies do not gather information that identifies you. All information collected under a Performance Cookie is anonymous and is only used to improve how a website works.
Functionality Cookies allow a website to remember choices you make (such as your username, language or the region you are in) tailoring the website to provide enhanced features and content for you. These cookies can also be used to remember changes you have made to text size, font and other parts of pages that you can customise. They may also be used to provide services you've asked for such as watching a video or commenting on a post. The information collected by Functionality Cookies collect may be anonymous and they cannot track your browsing activity on other websites.
We do not use Targeting cookies used to tailor market to you and your interests.
When visiting our website, you will be asked to opt in/give consent for the use of performance and functionality cookies, as described above these cookies will enhance your experience on our website without collecting any personal data.
How to control and delete cookies
Additionally, you may wish to visit www.aboutcookies.org which lists instructions for all the main, current web browsers. For mobile devices, you should refer to the manufacturer's website.
9. How we use personal data to conduct research
We carry out research to generate feedback on your experiences. We use this feedback to improve the experience that we offer and ensure we know what is relevant and interesting to you. If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All research conducted is optional and you can choose not to take part. We will not share your personal data with any third party for research purposes.
10. How do we protect your personal information?
We take appropriate measures to safeguard personal information that is disclosed to us and keep it secure, accurate and up to date.
11. How do we store your information, and do we send it outside the European Economic Area?
We do not directly transfer your data outside of the EEA. We store digital data on secure cloud-based services including Go Daddy Servers and Microsoft (Document storage).
12. Will we disclose the information we collect to third parties?
We will never sell your data. We will only disclose your information if required by law, for example to government bodies and law enforcement agencies.
13. Links to other websites
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and third parties. If you follow a link to another website, please note that such websites have their own Privacy Policies and once you have entered another site, we do not accept any responsibility or liability. Please check individual website policies before you submit any personal data.
14. What is the lawful basis for processing personal data?
Collecting, processing and using personal data is permitted only under a lawful basis. The lawful basis that we operate under are listed below, along with the data processing activities that fall under them.
Necessary for the performance of a contract
When you make a purchase with us your personal data, certain processing activities are considered necessary for the performance of the contract between you and us to provide our services to you.
We may contact you with offers and services which we feel are relevant. This includes informing you of products and services provided by us. Legitimate Interest considers the balance between taking into account your own interests and our services offered. You can object to communications at any time by contacting Data Protection in a Box.
There are circumstances when we are required to process personal data in order to meet our legal obligations. Processing data under this basis can relate to education needs, safeguarding and child protection requirements, financial data, insurance, information and HMRC reporting requirements. When processing on the basis of legal obligations, you have no right to erasure or right to object.
When we rely on the lawful basis of consent to process personal data, it must be freely given, specific, informed, and an unambiguous indication of agreement. If you have provided consent, you have the right to withdraw it at any time.
15. How long do we keep personal data for?
We retain personal data for no longer than is necessary. What is necessary is dependent on each data type, taking into account the reasons that the personal data was obtained, but if relevant, the length of retention is determined in a manner consistent with legal and regulatory obligations.
We have a Data Retention Policy and Schedule that sets out retention periods for the different kinds of data we might hold about you. If you would like to find out more about this policy, please contact Data Protection in a Box.
16. What are my data subject rights?
Under UK Data Protection Law, a data subject is considered to be ‘an individual who is the subject of personal data’.
Data subjects have certain rights and by exercising these rights, you can make requests regarding your personal data. A summary of these rights is explained below.
The Supervisory Authority that regulates and enforces Data Protection Law in the UK is the Information Commissioner’s Office (ICO) and additional information and guidance about these data subject rights can be found on their website; https://ico.org.uk/.
1) Right to be informed
At the point of collecting personal data from you, we must provide you with information such as the purpose and rationale for the processing of that data.
2) Right of access
This right provides you with the ability to access to your personal data that is being processed by us. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your requested personal data. The information will be provided free of charge unless the request is manifestly unfounded or excessive; in those cases, the request may be refused, or a reasonable fee charged.
3) Right to rectification
This right provides you with the ability to ask for modifications and rectification to your personal data in the event you believe that your personal data is not up to date or accurate.
4) Right to erasure
Also known as ‘the right to be forgotten’ this right, under certain circumstances, provides you with the ability to ask for the deletion of your personal data. We may refuse to fulfil the right to erasure if there is legal reason why the personal data must be retained, the grounds are not valid or if the data is required for use in the defence of a legal claim.
5) Right to restriction of processing
You have the right to restrict the processing of your personal data where you have a particular reason for wanting the restriction. This may be because you have concerns with the personal data we hold about you or how we have processed your data.
6) Right to data portability
This right provides you with the ability to ask for a copy of or a transfer of your personal data, in a certain format. You may ask for your personal data to be provided back to you or transferred to another data controller. When doing so, the personal data must be provided or transferred in a structured, commonly used and machine-readable format.
7) Right to object
You have the right to object to the processing of your personal data, including marketing activities and profiling, on grounds relating to your particular situation. If you make such an objection, we will cease to process the personal information unless;
8) Right to object to automated processing
This right provides you with the ability to object to a decision based solely on automated processing, including profiling. We do not use automated processing but if we did, under this right, you may ask for your processing to be reviewed manually and with human intervention.
3.15. Exercising your data subject rights
To make a Data Subject Access Request please use the following methods;
We may request further information from you to help us verify your identity.
Once we have all the information necessary to respond to your request and have confirmed your identity, we will locate your information and manage your request without undue delay and in any event within one calendar month. Note that this timeframe may be extended by two further months if your request is particularly complex or there is a large volume of requests.
17. Payment card security
We use GoDaddy recommended compliant partners who are compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is the international standard for secure credit and debit card payment processes and means that when you pay for our services using a debit or credit card, the relevant technical and operational security requirements are in place to protect the account data.
18. Making a complaint
If you think your data has been misused or that we have not kept it secure, please contact us using the contact details provided in section 2 and we will investigate any concerns you may have. If you are unhappy with our response or if you need any advice, you should contact the Information Commissioner’s Office (ICO).
The telephone number for the ICO Helpline is 0303 123 1113 or you can also chat online with an advisor.
The ICO can investigate your claim and take action against anyone who has misused personal data. You can also visit their website for information at https://ico.org.uk/concerns/.