Kadence International is fully committed to compliance with the requirements of any applicable laws, rules, or regulations concerning the protection of personal data (hereinafter referred to as Applicable Laws), including the European Union General Data Protection Regulation 2018 (GDPR), California Consumer Privacy Act 2020 (CCPA), and Personal Data Protection Act 2012 (PDPA).
We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognize the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our organization and to ensure efficient and successful outcomes when using this data.
The types of personal data that we may process include information about current, past, and prospective employees, clients, customers, suppliers, and other organizations with which we have dealings.
Personal data may consist of data kept on paper, computer, or other electronic media, all of which are protected under the laws and regulations of each jurisdiction.
<1> Scope of this Policy
This policy applies to all employees and workers who handle personal data, whether this relates to their colleagues, clients, or anyone else. A copy will also be given to any third parties to whom we outsource any data processing or storage.
<2> Principles
We endorse and adhere to the seven principles of personal data protection, which are summarized as follows:
1. Legality, Transparency and Fairness
・Legality – Any Personal Data must be processed in accordance with the rules and guidelines of the Applicable Laws of each country.
・Transparency – Any kind of information that an organization passes to the individual about the way it processes their data, must be disclosed clearly and thoroughly.
・Fairness – Data subjects have:
i. The right to be informed.
ii. The right of access.
iii. The right to rectification.
iv. The right to erasure.
v. The right to restrict processing.
vi. The right to data portability.
vii. The right to object.
viii. Rights in relation to automated decision-making and profiling.
2. Purpose Limitation.
Personal data should be collected for specified legitimate and explicit purposes and must not be further processed in a way that is incompatible with such purposes.
3. Minimization
Personal data must be relevant, adequate, and limited to what is necessary in relation to the purposes for which the data is processed.
4. Accuracy
Personal data must always be up to date, and actions should be taken to avoid storing old or redundant data.
5. Storage Limitation
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed.
6. Integrity and Confidentiality
Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical, or organizational measures.
7. Accountability
・Both the data controller and the data processor have responsibility for, and must be able to prove compliance with all Principles.
・Many Applicable Laws require businesses to show how they comply with the principles.
・Supervisory authorities can audit businesses to check compliance with the accountability principle.
These principles apply to obtaining, handling, processing, transportation, and storage of personal data.
Our employees and agents who obtain, handle, process, transport, and store personal data for us must adhere to these principles at all times.
<3> Types of data
Personal data is defined as data relating to a living individual who can be identified from that data; or from that data and other information that is in the possession of or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Personal data we collect includes, but is not limited to, the categories listed below:
・From people we contact regarding our surveys conducted online, in person, by telephone, email, or postal mail.
・From visitors to our websites and people who contact us via our websites, via email, or other means.
・From our employees, contractors, and business contacts at other companies in the course of conducting our business.
・From current and prospective clients.
Sensitive personal data is defined as personal data consisting of information regarding an individual’s racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, or criminal proceedings or convictions.
We comply with Applicable Laws regarding the collection of data about children. When we collect personal data from children, we do so with parental consent, which can be withdrawn at any time.
<4> Handling of personal/sensitive information
We collect your personal data because it helps us deliver a superior level of customer service. It enables us to give a truer picture of the research that goes to our clients.
We will, through appropriate management and the use of strict criteria and controls:
– observe fully the conditions concerning the fair collection and use of personal data
– specify the purpose for which information is used
– collect and process information only to the extent that it is needed to fulfill operational needs or legal requirements
– endeavor always to ensure the quality of information used
– not keep information for longer than required operationally or legally
– always endeavor to safeguard personal data by physical and technical means (i.e., keeping paper files and other records or documents containing personal/sensitive data in a secure environment; protecting personal data held on computers and computer systems by the use of secure passwords, which where possible, are changed periodically and ensuring that individual passwords are not easily compromised)
– ensure that personal data is not transferred abroad without suitable safeguards
– ensure that the lawful rights of people about whom the information is held can be fully exercised
And, in some cases, we may base the processing of personal data on our legitimate interest in performing research or other services because of its benefits in improving the efficiency of our clients and the markets in which they operate.
Where we rely on this basis for processing, we ensure our activity is appropriately balanced by strong privacy protections designed to minimize the risks to data subjects.
In addition, we will ensure that:
– there is someone with specific responsibility for data protection in the organization
– all staff managing and handling personal data understand that they are contractually responsible for following good data protection practice
– all staff managing and handling personal data are appropriately trained to do so
– all staff managing and handling personal data are appropriately supervised
– a clear procedure is in place for anyone wanting to make inquiries about handling personal data, whether a member of staff or a member of the public and such inquiries are promptly and courteously dealt with
– methods of handling personal data are regularly assessed and evaluated
– data sharing is carried out under a written agreement, setting out the scope and limits of the sharing
– any disclosure of personal data will be in compliance with approved procedures
Note that, by law, we have to provide employee liability information to any organization that our employees are transferring to, in line with the relevant laws and regulations.
<5> Access to personal data
All individuals who are the subject of personal data held by us are entitled to:
– ask what information we hold about them and why
– ask how to gain access to it
– be informed how to keep it up to date
– have inaccurate personal data corrected or removed
– prevent us from processing information or request that it is stopped if the processing of such data is likely to cause substantial, unwarranted damage or distress to the individual or anyone else
– require us to ensure that no decision that significantly affects an individual is solely based on an automated process for the purposes of evaluating matters relating to them, such as conduct or performance
– be informed what we are doing to comply with our obligations under any Applicable Laws
This right is subject to certain exemptions which are set out in some laws. Any person who wishes to exercise this right should make the request in writing to our officer appointed as the person responsible for managing personal data (hereinafter referred to as Designated Officer).
If personal details are inaccurate, they will be amended upon request. If by providing this information we would have to disclose information relating to or identifying a third party, we will only do so provided the third party gives consent, otherwise, we may edit the data to remove the identity of the third party.
Personal data will only be released to the individual to whom it relates. The disclosure of such information to anyone else without their consent may be a criminal offense. Any employee who is in doubt regarding a subject access request should check with their Designated Officer. Information must under no circumstances be sent outside of the country where the information was obtained without the prior permission of our Designated Officer. We aim to comply with requests for access to personal data as quickly as possible but will ensure that it is provided within 30 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
<6> Employee responsibilities
All employees must ensure that, in carrying out their duties, we are able to comply with its obligations under any Applicable Laws. In addition, each employee is responsible for:
– checking that any personal data that they provide to us is accurate and up to date
– informing us of any changes to information previously provided, e.g., change of address.
– checking any information that we may send out from time to time, giving details of the information that is being kept and processed
– if, as part of their responsibilities, employees collect information about other people or about other employees they must comply with this policy. This includes ensuring the information is processed in accordance with each Applicable Law, is only processed for the purposes for which it is held, is kept secure, and is not kept any longer than is necessary.
<7> More Information
For more information about what kind of data we collect, and how we use or handle personal data as well as contact points for questions, please refer to the following links:
・UK
Data Protection Policy https://kadence.com/policy/data-protection-policy-uk/
Customer Privacy Policy https://kadence.com/policy/customer-privacy-policy-uk/
・Japan
Protection of Personal Information/Handling of Personal Information https://www.cross-m.co.jp/en/policy.html