Kaleidoscope Data Privacy Consultants
Privacy Notice


  • We are Kaleidoscope Data Privacy Consultants with companies and offices in London, Dublin and Barcelona. We advise our clients on the lawful processing of personal data.
    Read more

  • This privacy notice tells you about what Kaleidoscope may use your personal data, how we process it, what are your rights and how you can exercise them.
    Read more

  • We process personal data about various classes of people: clients, suppliers, staff, other people we work with and people who contact us as a part of a service we provide.
    Read more

  • People have rights limited rights which they may freely exercise where data that identifies them is processed. We explain what these are and, how and when you can exercise them.
    Read more

  • We use various third-party data processors to provide cloud-based technologies on which we securely process personal data.
    Read more

  • We may place some cookies on your device when you visit our website, but only with your consent.
    Read more

  • You can contact us for more information about how, what and when we process personal data about you and to request access.
    Read more

  • You can complain to the relevant supervisory authority (SA) if you do not think we have handled your data correctly.
    Read more

Kaleidoscope Consultants

Kaleidoscope Consultants Limited (KC UK), Kaleidoscope Data Privacy Consultants Limited (KDPC IE) and Kaleidoscope Data Privacy Consultants SL (KDPC ES) are a group of companies which specialise in advising clients in the health and life sciences business sectors on lawful and ethical uses of personal data.

As well as providing advice to our clients, we sometimes act on their behalf as their Data Protection Officer or EEA Representative, two roles required of some organisations by the General Data Protection Regulation. If our client is processing your personal data and you have any questions, requests or concerns, please find our contact details on our EEA Representative page. For data protection supervisory authorities, please go to our supervisory authorities page.

The General Data Protection Regulation is data privacy law that applies to organisations (and sometimes people) that are established in the European Economic Area (the countries of the European Union plus a number of other countries).

Privacy Notice

The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.

This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact options provided to ask us. You can translate this page into your local language by using the translate tab at the bottom of this page. 

This privacy notice, however you have arrived at it, applies to the following domains: kaleidoscopeconsultants.com; kaleidoscopeconsultants.co.uk; kaleidoscopeconsultants.info; kaleidoscopeconsultants.uk; kaleidoscopeconsultants.eu; kaleidoscopeconsultants.ie; kaleidoscopeconsultants.hu; kaleidoscopeconsultants.pt; kaleidoscopeconsultants.rs; kaleidoscopeconsultants.bg; kaleidoscopeconsultants.be; kaleidoscopeconsultants.gr; kaleidoscopeconsultants.ru; kaleidoscopeconsultants.cz; kaleidoscopeconsultants.pl; kaleidoscopeconsultants.at; kaleidoscopeconsultants.se; kaleidoscopeconsultants.nl; kaleidoscopeconsultants.it; kaleidoscopeconsultants.de; kaleidoscopeconsultants.fr; kdp.es; kaleidoscoperesourcing.co.uk; kaleidoscoperesourcing.com; kaleidoscopetraining.com; nhsinformationgovernance.com; nhsinformationgovernance.co.uk; nhsinformationgovernance.guru; notts-care-ig.net.

Personal data processed

We process the following personal data for the purposes listed (we are also the Controller of the data processed listed within the Data Processor section below):

Classes of Data Subject Purposes of processing Categories of Data Retention period Lawful basis
EU citizens (as designated EEA Representative on behalf of our clients outside of the EEA) – Clinical trials To communicate with the EU citizen and respond to questions, requests and concerns as designated EEA Representative Names
Email addresses
Telephone numbers
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact. Legal obligation
(Article 27 GDPR)
EU citizens (as designated EEA Representative on behalf of our clients outside of the EEA) – Medical technology To communicate with the EU citizen and respond to questions, requests and concerns as designated EEA Representative Names
Email addresses
Telephone numbers
To the end of our mandate with client or for 7 years after last contact. Legal obligation
(Article 27 GDPR)
EU citizens (as appointed outsourced Data Protection Officer (DPO) on behalf of our clients outside of the EEA) To communicate with the EU citizen and respond to questions, requests and concerns as the appointed outsourced DPO Names
Email addresses
Telephone numbers
To the end of contract with client or in accordance with client’s retention periods. Legal obligation
(Article 38(4) GDPR)
UK Citizens (as designated UK Representative on behalf of our clients outside of the UK) – Clinical trials To communicate with the UK citizen and respond to questions, requests and concerns as designated UK Representative Name,
Email address
Telephone number
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact. Legal Obligation
GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019
UK Citizens (as designated UK Representative on behalf of our clients outside of the UK) – Medical technology To communicate with the UK citizen and respond to questions, requests and concerns as designated UK Representative Name
Email addresses
Telephone number
To the end of our mandate with client or for 7 years after last contact. Legal Obligation
GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019
UK citizens (as appointed outsourced Data Protection Officer (DPO) on behalf of our clients outside of the UK) To communicate with the UK citizen and respond to questions, requests and concerns as the appointed outsourced DPO Names
Email addresses
Telephone numbers
To the end of contract with client or in accordance with client’s retention periods. Legal Obligation
GDPR and Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019
Clients
Client /staff
Staff of suppliers and organisations associated with client projects
Project management
Financial records
Personal data
Names
Work email address
Work telephone numbers
8 years after the last payment Contract
Suppliers Financial records
Account management
Personal data
Names
Work email address
Work telephone numbers
8 years after the last supply Contract
Current staff and PAYE workers Benefits
Employment contract
Sickness
Holiday
Pension
Payroll
Emergency contact in case of injury or illness
Personal data
Name
Email address
Telephone number
Address
Date of birth
NI no
Emergency contact details
8 years after leaving Legal obligation
Contract with the employee or PAYE worker
Past staff Pension
Basic staff record to allow for factual employment verification.
Personal data
Name
Email address
Telephone number
Address
Birthday
NI no
We will follow the pension regulator retention schedule Legal obligation
Recruitment Recruitment and appointment Perspective employment
Complaints
Personal data
Name
Email address
Telephone number
Address
12 months after successful appointment Contract with the employee
Associates Provision of professional services through Kaleidoscope to end clients Personal data
Name
Email address
Telephone number
Address
5 years after last engagement Professional services contract
Potential clients Marketing of services
Invitations to events
Personal data
Name
Email address
Telephone number
Organisation
Job title
2 years from last contact Consent
Supervisory authorities and other regulators Requests by the Supervisory Authorities across the EU and UK in relation to data subjects who have contacted the Supervisory Authority or where we have escalated on behalf of a client (EEA Representative, UK Representative and DPO service) Personal data
Name
Email address
Telephone number
Other related personal data for that case/enquiry
To the end of our mandate with client or for those participating in clinical trial 10 years after last contact (EEA/UK Representative). To the end of our mandate with client or for 7 years after last contact – medical technology (EEA/UK Representative). To the end of our contract or in accordance to client’s retention schedules (DPO) Legal obligation
(Article 27, Article 38(4) GDPR and UK GDPR and Data Protection Act 2018, as amended by Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019

Data protection rights

The General Data Protection Regulation secures various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Listed below are the rights and an indication of when they apply related to the table above:

Right Meaning Engagement by lawful basis (see above)
Access
GDPR
Article 15
You may request a copy of the data held by a controller about you. This is a fairly universal right with minor exemptions for staff disciplinary records and legal opinions.
Rectification
GDPR
Article 16
If you think data held by a controller about you is wrong, you may request that it is corrected. This is a fairly universal right with minor exemptions.
Erasure
GDPR
Article 17
You can request that your data is deleted by a controller. This is a fairly universal right with minor exemptions.
Restriction
GDPR
Article 18
There are circumstances in which a data subject may ask a controller to stop processing their data but in which the controller must otherwise retain the data, for example where required by law. This right is more complex to apply, but that doesn’t mean it would be respected.
Portability
GDPR
Article 19
You can ask for a copy of your data in a format that can be readily transferred to an alternative controller. This right is only engaged where your data is processed on the basis of consent.
Objection
GDPR
Article 21
You can object to the processing of your personal data when the controller is relying on a legal obligation or public duty for their legal basis, or they are claiming that it is in their legitimate interest, especially direct marketing. Engaged where the lawful basis for processing is GDPR article 6(1)(e) or 6(1)(f).
Automated decisions
GDPR
Article 22
Where a computer makes a decision about you without a human intervention, for example if an online loan application, you have the right to know how the decision was arrived at. Where automated decision-making takes place without a human intervention.

Cookies

Our website is at www.kaleidoscopeconsultants.com. The pages of our Irish and Spanish companies are also hosted here.

Our website has a tool to allow people to choose whether or not to allow cookies to be stored on their computer. A cookie is a small file that websites read when you browse them, and which sometimes tell those websites about you and your preferences.

Our website uses the following cookies:

Cookie name

Purpose

Persistence

civicCookieControl

Is the cookie preference tool used

3 months

google.com

translate.google.com

Supports the Google translation service on every page

gstatic.com

apikeys.civiccomputing.com

Supports the cookie preference tool used

translate.googleapis.com

Supports the Google translation service on every page

Data processors

Below is a list of companies whose services and products we have contracted and who process personal data on our behalf:

Supplier and service(s) provided

Classes of Data Subject

Personal Data processed

Purposes for the processing 

Combine Studio

Internet designer and web host

 

Sub-processor:

Digital Ocean Privacy policy can be found here.

Customers (including subscribers to our mailing lists), and Staff.

Personal data

Get in touch form.
Name and other contact information. 

Team page – providing details of our staff – name, photograph and biography.

Nottinghamshire Care homes DSPT

User Registration form
Name and other contact information.

We collect and use your personal data because it is necessary to obtain certain details including personal data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including:

Providing the requested service and/or information to you.

Responding to your queries.

User registration to access our products and services.

Transmitting Personal Information between our functions for internal administrative purposes.

For further information about cookies we use click here

Mail Chimp

Bulk email mailing and list management service.

Their privacy notice can be found here.

Clients

Potential clients

Past clients

Personal data

Name, email address and other basic contact details.

Personal data is processed to inform clients and potential clients of our services as well as inviting them to events we operate.  A client / potential client or past client can opt out at any time. 

Eventbrite and Zoom

Online event management tool (Eventbrite) and presentation/ recording system. (Zoom)

The privacy notice for Eventbrite can be found here and for Zoom here. 

Event attendees

Personal data

Name, email address and other basic contact details.

Special category data

Dietary needs

Physical needs

Delegates wanting to attend events we manage, register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. 

A delegate can opt out of an event, including watching an event/presentation at any time through cancelling their registration.

Survey Monkey

Online survey tool which is used for evaluation of events, training, services and products provided by us.

Their privacy notice can be found here.

Customers and delegates that have attended our events, including training.

Personal data

Name, email address and other basic contact details.

Delegates wanting to attend events we manage register and agree to their name and basic contact details (email, phone number) to be used solely for the management of that event. This includes evaluation.  

A delegate can opt out of an event at any time through cancelling their registration and any evaluation.

People HR (People Apps Limited).

HR management services software

Their privacy notice can be found here.

Staff, Associates and PAYE workers– UK and Ireland

Personal data
Name, DOB, photograph,

address, training certificates, NI, Nationality, Employee ID, Payslips. P45, Contract, Emergency contacts (name and phone numbers).

This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests. For example, the processing of personal data by the employer for the purposes of paying the employee will be necessary for the performance of the employment contract, and the processing of data about absence for the purposes of paying statutory sick pay will be necessary for compliance with a legal obligation.

We will also process your special category data because it is necessary for us to process requests for sick pay or maternity pay.  This may also include providing details to HMRC.

Xero

Accounting software

Their privacy notice can be found here.

Customers

Suppliers

Staff

Name of customer, address and banking information.

The lawful basis of this processing is contractual and is for accounting purposes.

Accounting & Bookkeeping Bureau

Accountancy and payroll services

Their privacy notice can be found here.

Staff and PAYE workers

Name, NI and DOB and contact information.

This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests.

Darbys Ltd

Accountancy and payroll services.

Their privacy notice can be found here.

UK staff and PAYE workers

Name, NI and DOB and contact information.

This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests.

NEST

Pension provider used for pensions for staff.

Their privacy notice can be found here

Staff UK only

Name, NI and DOB and contact information.

This processing of staff information is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer’s legitimate interests.

Transperfect

EEA/UK Representative and DPO Service only

Transperfect are used to translate recorded phone calls with the data subject.

Their privacy notice can be found here

Data subjects who have contacted us directly or through an existing customer or Supervisory Authority of our EEA/UK Representative and DPO Service.

Recording of a call with the data subject. This will include name and other information provided by the data s subject.

This processing is necessary for the performance of a contract, for compliance with a legal obligation.

Language Reach

Language reach are used to provide translation services.

No personal data

Translation service for official and legal documentation.

Outside of privacy legislation scope as no personal data is processed.

VOIPfone

Recording of voice calls.  (Voicemail box and texting.

Their privacy notice can be found here

Staff and customer

This will include name and other information provided by the data s subject.

This processing is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of legitimate and vital interests.

Trello

Provided to record timesheets and provide non personal data to clients about project progress and deliverables completed. This is used as part of the invoicing information sent to a customer.


Their privacy notice can be found here.

Staff and customer

Customer

Name and
Contact details including Email

Phone

Staff

Name

Email address

This processing is necessary for the performance of a contract.

Timecamp

Provided to record timesheets and provide non personal data to clients about project progress and deliverables completed. This is used as part of the invoicing information sent to a customer. 

Their privacy notice can be found here

Staff and customer

Customer.
Name which is sometimes recording within the notes section of deliverable(s).

Staff

Name

Email address

This processing is necessary for the performance of a contract.

Microsoft Office 365


Provided to store and process and record staff and customers details.   These are controlled through access control levels and can be reviewed through audit logs.  Policies and procedures exist for all staff prior to access. This includes an Acceptable Use Policy as well as other related IG policies and procedures. 

Their privacy notice can be found here.

Customers (including subscribers to our mailing lists), and Staff.

Customers and subscribers Name, email address and other basic contact details.

Staff – HR forms. (Payroll and staff HR application forms)
Name, address DOB, Nationality, Next of Kin/ emergency contact details, National Insurance.

Customer and subscribers We collect and use your personal data because it is necessary to obtain certain details including persona data from you in providing you with the service you have requested and it is in our legitimate interests in the course of our business, including;

Providing the requested service and/or information to you.

Responding to your queries.

User registration to access our products and services.

Staff We process personal data to provide HR services including payroll and pensions where third parties are used.

Contact details

If you have any queries regarding data protection matters, please contact our London office.

Phone: +44 (0) 20 3637 1111

Email: info@kaleidoscopeconsultants.com

Write: Kaleidoscope Consultants, East Side, Kings Cross, London, N1C 4AX

Alternatively, you may prefer to contact one of our other offices. Their details can be found here:

Complaints

If you are unhappy with how we process your personal data, and after you have first made a complaint to us, you can complain to your local supervisory authority. Here is a list of countries linked to the website of the relevant supervisory authority:

Translate