Kaleidoscope Consultants Ltd
Privacy Notice
We are Kaleidoscope Consultants Limited. We advise our clients on the lawful processing of personal data and on clinical safety and DTAC.
Read more
This privacy notice tells you about what Kaleidoscope may use your personal data, how we process it, what are your rights and how you can exercise them.
Read more
We process personal data about various classes of people: clients, suppliers, staff, other people we work with and people who contact us as a part of a service we provide.
Read more
People have rights limited rights which they may freely exercise where data that identifies them is processed. We explain what these are and, how and when you can exercise them.
Read more
We use various third-party data processors to provide cloud-based technologies on which we securely process personal data.
Read more
We may place some cookies on your device when you visit our website, but only with your consent.
Read more
You can contact us for more information about how, what and when we process personal data about you and to request access.
Read more
You can complain to the relevant supervisory authority (SA) if you do not think we have handled your data correctly.
Read more
Kaleidoscope Consultants
Kaleidoscope Consultants Limited (KC UK).
As well as providing advice to our clients, we sometimes act on their behalf as their Data Protection Officer or EEA Representative, two roles required of some organisations by the General Data Protection Regulation. If our client is processing your personal data and you have any questions, requests or concerns, please find our contact details on our EEA Representative page. For data protection supervisory authorities, please go to our supervisory authorities page.
The General Data Protection Regulation is data privacy law that applies to organisations (and sometimes people) that are established in the European Economic Area (the countries of the European Union plus a number of other countries).
Privacy Notice
The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.
This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact options provided to ask us. You can translate this page into your local language by using the translate tab at the bottom of this page.
This privacy notice, however you have arrived at it, applies to the following domains: kaleidoscopeconsultants.com; kaleidoscopeconsultants.co.uk; kaleidoscopeconsultants.info; kaleidoscopeconsultants.uk.
Personal data processed
We process the following personal data for the purposes listed (we are also the Controller of the data processed listed within the Data Processor section below):
| Classes of Data Subject | Purposes of processing | Categories of Data | Retention period | Lawful basis |
|---|---|---|---|---|
| EU citizens (as designated EEA Representative on behalf of our clients outside of the EEA) – Clinical trials | To communicate with the EU citizen and respond to questions, requests and concerns as designated EEA Representative | Names Email addresses Telephone numbers |
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact. | Legal obligation (Article 27 GDPR) |
| EU citizens (as designated EEA Representative on behalf of our clients outside of the EEA) – Medical technology | To communicate with the EU citizen and respond to questions, requests and concerns as designated EEA Representative | Names Email addresses Telephone numbers |
To the end of our mandate with client or for 7 years after last contact. | Legal obligation (Article 27 GDPR) |
| EU citizens (as appointed outsourced Data Protection Officer (DPO) on behalf of our clients outside of the EEA) | To communicate with the EU citizen and respond to questions, requests and concerns as the appointed outsourced DPO | Names Email addresses Telephone numbers |
To the end of contract with client or in accordance with client’s retention periods. | Legal obligation (Article 38(4) GDPR) |
| UK Citizens (as designated UK Representative on behalf of our clients outside of the UK) – Clinical trials | To communicate with the UK citizen and respond to questions, requests and concerns as designated UK Representative | Name, Email address Telephone number |
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact. | Legal Obligation GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 |
| UK Citizens (as designated UK Representative on behalf of our clients outside of the UK) – Medical technology | To communicate with the UK citizen and respond to questions, requests and concerns as designated UK Representative | Name Email addresses Telephone number |
To the end of our mandate with client or for 7 years after last contact. | Legal Obligation GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 |
| UK citizens (as appointed outsourced Data Protection Officer (DPO) on behalf of our clients outside of the UK) | To communicate with the UK citizen and respond to questions, requests and concerns as the appointed outsourced DPO | Names Email addresses Telephone numbers |
To the end of contract with client or in accordance with client’s retention periods. | Legal Obligation GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 |
| Clients Client /staff Staff of suppliers and organisations associated with client projects |
Project management Financial records |
Personal data Names Work email address Work telephone numbers |
8 years after the last payment | Legitimate interest |
| Suppliers | Financial records Account management |
Personal data Names Work email address Work telephone numbers |
8 years after the last supply | Contract |
| Current staff and PAYE workers | Benefits Employment contract Sickness Holiday Pension Payroll Emergency contact in case of injury or illness |
Personal data Name Email address Telephone number Address Date of birth NI no Emergency contact details |
8 years after leaving | Legal obligation Contract with the employee or PAYE worker |
| Past staff | Pension Basic staff record to allow for factual employment verification. |
Personal data Name Email address Telephone number Address Birthday NI no |
We will follow the pension regulator retention schedule | Legal obligation |
| Recruitment | Recruitment and appointment Perspective employment Complaints |
Personal data Name Email address Telephone number Address |
12 months after successful appointment | Contract with the employee |
| Associates | Provision of professional services through Kaleidoscope to end clients | Personal data Name Email address Telephone number Address |
5 years after last engagement | Professional services contract |
| Potential clients | Marketing of services Invitations to events |
Personal data Name Email address Telephone number Organisation Job title |
2 years from last contact | Consent |
| Supervisory authorities and other regulators | Requests by the Supervisory Authorities across the EU and UK in relation to data subjects who have contacted the Supervisory Authority or where we have escalated on behalf of a client (EEA Representative, UK Representative and DPO service) | Personal data Name Email address Telephone number Other related personal data for that case/enquiry |
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact (EEA/UK Representative). To the end of our mandate with client or for 7 years after last contact – medical technology (EEA/UK Representative). To the end of our contract or in accordance to client’s retention schedules (DPO) | Legal obligation (Article 27, Article 38(4) GDPR and UK GDPR and Data Protection Act 2018, as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 |
Data protection rights
The General Data Protection Regulation secures various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Listed below are the rights and an indication of when they apply related to the table above:
| Right | Meaning | Engagement by lawful basis (see above) |
|---|---|---|
| Access GDPR Article 15 |
You may request a copy of the data held by a controller about you. | This is a fairly universal right with minor exemptions for staff disciplinary records and legal opinions. |
| Rectification GDPR Article 16 |
If you think data held by a controller about you is wrong, you may request that it is corrected. | This is a fairly universal right with minor exemptions. |
| Erasure GDPR Article 17 |
You can request that your data is deleted by a controller. | This is a fairly universal right with minor exemptions. |
| Restriction GDPR Article 18 |
There are circumstances in which a data subject may ask a controller to stop processing their data but in which the controller must otherwise retain the data, for example where required by law. | This right is more complex to apply, but that doesn’t mean it would be respected. |
| Portability GDPR Article 19 |
You can ask for a copy of your data in a format that can be readily transferred to an alternative controller. | This right is only engaged where your data is processed on the basis of consent. |
| Objection GDPR Article 21 |
You can object to the processing of your personal data when the controller is relying on a legal obligation or public duty for their legal basis, or they are claiming that it is in their legitimate interest, especially direct marketing. | Engaged where the lawful basis for processing is GDPR article 6(1)(e) or 6(1)(f). |
| Automated decisions GDPR Article 22 |
Where a computer makes a decision about you without a human intervention, for example if an online loan application, you have the right to know how the decision was arrived at. | Where automated decision-making takes place without a human intervention. |
Cookies
Our website is at www.kaleidoscopeconsultants.com. The pages of our Irish and Spanish companies are also hosted here.
Our website has a tool to allow people to choose whether or not to allow cookies to be stored on their computer. A cookie is a small file that websites read when you browse them, and which sometimes tell those websites about you and your preferences.
Our website uses the following cookies:
|
Cookie name |
Purpose |
Persistence |
|---|---|---|
|
civicCookieControl |
Is the cookie preference tool used |
3 months |
|
google.com |
||
|
translate.google.com |
Supports the Google translation service on every page |
|
|
gstatic.com |
||
|
apikeys.civiccomputing.com |
Supports the cookie preference tool used |
|
|
translate.googleapis.com |
Supports the Google translation service on every page |
Data processors
Below is a list of companies whose services and products we have contracted and who process personal data on our behalf:
|
Supplier and service(s) provided |
Classes of Data Subject |
Personal Data processed |
Purposes for the processing |
|---|---|---|---|
|
Internet designer and web host
Sub-processor: Digital Ocean Privacy policy can be found here.
|
Customers (including subscribers to our mailing lists), and Staff. |
Personal data Get in touch form. Team page – providing details of our staff – name, photograph and biography. Nottinghamshire Care homes DSPT User Registration form |
We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including: Providing the requested service and/or information to you. Responding to your queries. User registration to access our products and services. Transmitting Personal Information between our functions for internal administrative purposes. For further information about cookies we use click here |
|
Bulk email mailing and list management service. Their privacy notice can be found here. |
Clients Potential clients Past clients |
Personal data Name, email address and other basic contact details. |
Personal data is processed to inform clients and potential clients of our services as well as inviting them to events we operate. A client / potential client or past client can opt out at any time. |
|
Eventbrite and Zoom Online event management tool (Eventbrite) and presentation/ recording system. (Zoom) The privacy notice for Eventbrite can be found here and for Zoom here. |
Event attendees |
Personal data Name, email address and other basic contact details. Special category data Dietary needs Physical needs |
Delegates wanting to attend events we manage, register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. A delegate can opt out of an event, including watching an event/presentation at any time through cancelling their registration. |
|
Online survey tool which is used for evaluation of events, training, services and products provided by us. Their privacy notice can be found here. |
Customers and delegates that have attended our events, including training. |
Personal data Name, email address and other basic contact details. |
Delegates wanting to attend events we manage register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. This includes evaluation. A delegate can opt out of an event at any time through cancelling their registration and any evaluation. |
|
People HR (People Apps Limited). HR management services software Their privacy notice can be found here. |
Staff, Associates and PAYE workers– UK and Ireland |
Personal data address, training certificates, NI, Nationality, Employee ID, Payslips. P45, Contract, Emergency contacts (name and phone numbers). |
This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests. For example, the processing of personal data by the employer for the purposes of paying the employee will be necessary for the performance of the employment contract, and the processing of data about absence for the purposes of paying statutory sick pay will be necessary for compliance with a legal obligation. We will also process your special category data because it is necessary for us to process requests for sick pay or maternity pay. This may also include providing details to HMRC. |
|
Accounting software Their privacy notice can be found here. |
Customers Suppliers Staff |
Name of customer, address and banking information. |
The lawful basis of this processing is contractual and is for accounting purposes. |
|
Accounting & Bookkeeping Bureau Accountancy and payroll services Their privacy notice can be found here. |
Staff and PAYE workers |
Name, NI and DOB and contact information. |
This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests. |
|
Accountancy and payroll services. Their privacy notice can be found here. |
UK staff and PAYE workers |
Name, NI and DOB and contact information. |
This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests. |
|
Pension provider used for pensions for staff. Their privacy notice can be found here |
Staff UK only |
Name, NI and DOB and contact information. |
This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests. |
|
EEA/UK Representative and DPO Service only Transperfect are used to translate recorded phone calls with the data subject. Their privacy notice can be found here |
Data subjects who have contacted us directly or through an existing customer or Supervisory Authority of our EEA/UK Representative and DPO Service. |
Recording of a call with the data subject. This will include name and other information provided by the data s subject. |
This processing is necessary for the performance of a contract, for compliance with a legal obligation. |
|
Language reach are used to provide translation services. |
No personal data |
Translation service for official and legal documentation. |
Outside of privacy legislation scope as no personal data is processed. |
|
VOIPfone Their privacy notice can be found here |
Staff and customer |
This will include name and other information provided by the data s subject. |
This processing is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of legitimate and vital interests. |
|
Provided to record timesheets and provide non personal data to clients about project progress and deliverables completed. This is used as part of the invoicing information sent to a customer.
|
Staff and customer |
Customer Name and Phone Staff Name Email address |
This processing is necessary for the performance of a contract. |
|
Provided to record timesheets and provide non personal data to clients about project progress and deliverables completed. This is used as part of the invoicing information sent to a customer. Their privacy notice can be found here |
Staff and customer |
Customer. Staff Name Email address |
This processing is necessary for the performance of a contract. |
|
Microsoft Office 365 Their privacy notice can be found here. |
Customers (including subscribers to our mailing lists), and Staff. |
Customers and subscribers Name, email address and other basic contact details. Staff – HR forms. (Payroll and staff HR application forms) |
Customer and subscribers We collect and use your personal data because it is necessary to obtain certain details including persona data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including; Providing the requested service and/or information to you. Responding to your queries. User registration to access our products and services. Staff We process personal data to provide HR services including payroll and pensions where third parties are used. |
Contact details
If you have any queries regarding data protection matters, please contact our London office.
Phone: +44 (0) 20 3637 1111
Email: info@kaleidoscopeconsultants.com
Write: Kaleidoscope Consultants, East Side, Kings Cross, London, N1C 4AX
Alternatively, you may prefer to contact one of our other offices. Their details can be found here:
Complaints
If you are unhappy with how we process your personal data, and after you have first made a complaint to us, you can complain to your local supervisory authority. Here is a list of countries linked to the website of the relevant supervisory authority:
Austria
