Who we are:
Naomi Korn Associates is one of the leading management consultancies in the UK specialising in copyright, licensing and data protection. We work with and provide consultancy services to a range of organisations. We are registered with the Information Commissioner’s Office (ICO) as a data controller: Registration number ZA329287. This privacy statement outlines why we collect personal data, how we use it, keep it safe and the rights of those whose data we hold.
Why we collect data:
We collect, store and process personal data of clients, potential clients, employees and our Consultants for the purposes of fulfilling our contractual and legal obligations and responsibilities. We will only collect data we need to give you a better experience; to improve and deliver our services to you; and to meet our responsibilities to you.
How we use personal data:
We use personal data to fulfill our contractual obligations with clients, employees and our Consultants. Personal data of individuals who we provide services for, or on behalf of our clients is used to maintain our relationship and to deliver our consultancy, training and services.
We will only send you newsletters, information about our consultancy services, training and our latest advice, guidance and blog posts via our mailing list if you have actively consented to us doing so (e.g. you have opted to join our mailing list). Individuals signed up to our mailing list can withdraw their consent at any point by unsubscribing from the email or by contacting us at firstname.lastname@example.org
What personal data do we collect?
- Clients and attendees on our workshops: we collect personal data (name, contact details, job title, organisation) for the purposes of fulfilling our services.
- Employees and Consultants: we collect personal data (name, date of birth, contact details etc). Additional data collected (e.g. financial, pensions etc) is collected for the purposes of processing payroll and our pension obligations.
- We also collect emails and names from people subscribing to our mailing list.
- From time to time, as part of our contractual relationships with our clients, we may process personal details of third parties for the purposes of providing our services, such as rights clearances.
We use standard WordPress statistics which record visitor numbers and their country of origin.
Our legal process for processing personal data
Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, organisations are required to have a legal basis for processing personal data. The legal bases we use for processing data are:
- Legitimate interests for the purposes of fulfilling our consultancy activities and the provision of our services.
- Contractual basis for the purposes of fulfilling our obligations to Naomi Korn Associates employees, our Consultants and clients.
- Legal obligations for the purposes of fulfilling our statutory obligations, including our pension provisions to our employees.
- Consent when people opt into our mailing list.
How long do we keep data?
We store and retain personal data for various periods of time in line our legal obligations, financial regulations and internal requirements. Typically, we will delete personal data collected during project work such as rights clearance after 6 months. We have a Data Retention Policy to ensure that your data is not held for longer than is necessary .
How we keep data secure
We have robust processes, procedures, contracts and agreements in place to ensure secure collection, storage and processing of personal data. Only authorised employees, Consultants and third party data processors (e.g. those who process data on our behalf) have access to personal data we hold. All our suppliers and contractors meet the standards we require. Training is undertaken regularly, and checks are made to ensure data quality is maintained.
Personal data is stored securely on our network, on encrypted devices (iPads, laptops, smart phones etc) and within third party systems (e.g. bulk email distribution platform) whose tools we use to process data.
International transfer of data
Your information is held securely in the UK. Prior to engaging or using third party systems to process data, we ensure that sufficient safeguards, contracts/agreements are in place to protect personal data and that all parties comply with the requirements of GDPR and the Data Protection Act 2018. For example, where data may be transferred outside of the European Economic Area (EEA) to the United States (e.g. if a third party uses multiple servers to back up data), we will ensure that the third party is registered under the EU-US Privacy Shield, such as DropBox which ensures adequate protection of data.
Who we share data with:
In line with our legal obligations we share personal data about employees with HMRC, pensions providers and payroll services. We also share personal data with third parties who process our data for the purposes of providing services to you, such as email providers, digital file storage providers, those processing credit card payments, our online invoicing system and Mailchimp. Finally, we will share data with the appropriate authorities (e.g. police, law enforcement agencies and other parties) where we have a legal obligation. For example, for the detection and prevention of fraud, or where data is required in relation to a criminal offence.
We do not sell or share data with any other third parties other than those listed above and where we use a third party to securely process our data on our behalf.
Under the GDPR and the Data Protection Act 2018, you have the following rights:
- Right to be informed. This Policy provides you with information in relation to how your data is processed. This ensures that we are transparent about what we will do with the information you supply to us.
- Right to object to the processing that is likely to cause you damage or distress. Where you challenge the accuracy or lawful processing of your information, we will consider this.
- Right to receive an electronic copy of any information you have consented to us holding. You can ask us to provide you with the personal data about you we hold, securely and in a machine-readable format, so it can be moved, copied or transferred to be used across different services or for you to give to another organisation. This is called a subject access request and we will need to verify your identity before giving such information.
- Right to object. We will ensure that we have the right consents in place for sending you information. You can unsubscribe from our mailings and remove your details at any time. If you wish to stop receiving communications from us, you will be able to do so by contacting us at email@example.com
- Rights related to automated decision making. If there is additional profiling based on the information we hold, then you can object to us making decisions about you based on such processing.
You can make a request at any point by email firstname.lastname@example.org. We will respond to a request within one month of receipt. However, where a request is received to erase data, we may not be able to delete all data (for example where data is linked to financial transactions that must be kept for a set period of time under financial regulations).
Links to other websites:
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
If you would like to find out more about how we process data, or if you wish to make a complaint, please contact us at email@example.com
If we are unable to resolve your complaint, you also have the right to complain to the Information Commissioner’s Office if you feel that your data had been processed in a way that is not compliant with this policy or in line with the GDPR and the Data Protection Act 2018. You can contact the ICO by visiting their website, www.ico.org.uk or by calling 0303 123 1113.
Notification of Changes:
We keep this Policy under regular review and will update this page. You should check this page from time to time to ensure that you are aware of any changes.
Last updated: December 2018