• Home
  • UK Data Protection Policy

UK Data Protection Policy

Data Protection Policy For Kadence International Ltd UK– Market Research Company, United Kingdom

Effective Date: 08 April 2026

Review Date: 01 July 2027

Version No. DPP-UK-V1.0

This Data Protection Policy (the “Policy”) is established to ensure strict compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the guidance issued by the Information Commissioner’s Office (ICO).

--------------------------------------------------------------------------------

1. Introduction and Purpose

Kadence International (“the Company” or "Data Controller") is fully committed to compliance with the requirements of the UK General Data Protection Regulation (UK GDPR) (which came into force on 25th May 2018), and the DPA 2018. The Company is required to maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations.

The purpose of this Policy is to outline how the Company collects, uses, stores, and disposes of personal data, ensuring the lawful, fair, and transparent processing of data.

2. Scope and Application

This Policy applies to all employees, contractors, and workers who handle personal data, whether this relates to their colleagues, clients, or anyone else. It covers all personal data processed in the course of market research activities.

The Policy covers data about current, past, and prospective employees; clients and customers; suppliers and other organizations with which the Company has dealings. Personal data may consist of data kept on paper, computer, or other electronic media, all of which is protected under the UK GDPR.

A copy of this Policy will also be given to any third parties to whom the Company outsources any data processing or storage.

3. Key Definitions

The following terms are defined in line with the UK GDPR and DPA 2018:

  • Personal Data:
    • Any information relating to a living individual who can be identified from that data. This includes an expression of opinion about the individual.
  • Special Categories of Personal Data (Sensitive Personal Data):
    • Personal data concerning racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, genetic data, biometric data, or criminal proceedings/convictions.
  • Data Subject:
    • The individual whose personal data is processed.
  • Data Controller:
    • The organization (The Company) that determines the purposes and means of processing personal data.
  • Processing:
    • Any operation performed on personal data, such as collection, recording, organisation, storage, use, disclosure, or erasure.
  • ICO:
    • The Information Commissioner’s Office, the UK supervisory authority for data protection.

4. The Seven Data Protection Principles

The Company adheres to the seven principles of the GDPR:

  • Lawfulness, Fairness, and Transparency:
    • Personal Data must be processed lawfully (in accordance with UK GDPR rules), fairly, and transparently. Any information passed to the individual about processing their data must be disclosed clearly and thoroughly.
  • Purpose Limitation:
    • Data shall be collected for specified, explicit, and legitimate purposes and must not be further processed incompatibly with such purposes.
  • Data Minimisation:
    • Personal data must be adequate, relevant, and limited to what is necessary. Excessive or irrelevant data collection is prohibited.
  • Accuracy:
    • Personal data must be up to date, and reasonable steps must be taken to ensure inaccurate data is rectified or erased without delay.
  • Storage Limitation:
    • Data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purpose for which the personal data is processed.
  • Integrity and Confidentiality (Security):
    • Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability:
    • The Company (Data Controller) is responsible for, and must be able to prove compliance with, the other six principles.

5. Legal Basis for Processing

The Company processes personal data only where a lawful basis exists under Article 6 of the UK GDPR:

  • Consent:
    • Processing is undertaken when explicit, freely given, specific, informed, and unambiguous consent is obtained. This is the primary basis for survey participation.
  • Explicit Consent for Special Categories:
    • Express consent must be obtained for processing Special Category Data (Sensitive Data), such as health, race, or gender information.
  • Contractual Necessity:
    • Processing is necessary for the performance of a contract with the data subject (e.g., administering payroll, benefits, or paying incentives).
  • Legitimate Interests:
    • Processing is necessary for the legitimate interests of the Company, provided these interests are not overridden by the fundamental rights of the data subject.
  • Legal Obligation:
    • Processing is necessary to comply with a legal or regulatory obligation.

6. Rights of Data Subjects

The Company upholds the following rights of Data Subjects:

  • The Right to be Informed:
    • Provided primarily through our Privacy Notice.
  • The Right of Access:
    • Data subjects can request a copy of the personal data held about them.
  • The Right to Rectification:
    • Data subjects can have inaccurate personal data corrected or rectified.
  • The Right to Erasure ("Right to be Forgotten"):
    • Data subjects can request the deletion or destruction of their personal data under certain circumstances (e.g., data is no longer necessary for the purpose it was collected).
  • The Right to Restrict Processing:
    • Data subjects can request a temporary halt to processing under certain conditions.
  • The Right to Data Portability:
    • Data subjects can receive their personal data in a structured, commonly used, and machine-readable format.
  • The Right to Object:
    • Data subjects can object to processing based on legitimate interests or direct marketing.
  • Rights related to Automated Decision Making and Profiling:
    • Kadence International will ensure robust procedures are in place if purely automated decision-making is used.

Requests to exercise these rights should be made in writing to the Data Protection Officer (DPO). The Company aims to comply with requests as quickly as possible, ensuring they are provided within 30 days of receipt of a written request.

7. Data Security and Safeguards

In line with the principles of Integrity and Confidentiality, the Company implements appropriate technical and organisational security measures:

  • Access controls and authentication:
    • Data access is restricted on a "need-to-know" basis. Strong passwords and multi-factor authentication are mandatory.
  • Encryption:
    • Personal data stored on Company devices or transmitted over networks will be encrypted using industry-standard protocols, applying encryption to sensitive data at rest and in transit.
  • Pseudonymisation/Anonymisation:
    • Research data will be anonymised or pseudonymised wherever possible before being used in analysis or reports.
  • Physical Security:
    • Paper files and records containing personal data are kept in a secure environment. Access to physical storage and server rooms is restricted.
  • Device Protection:
    • Data retained on laptops, smartphones, and any other electronic equipment removed from offices must be password protected.
  • Staff Responsibility:
    • Any employee who discovers data in an inappropriate place (e.g., sent to the wrong printer) should immediately pass this to the HR Manager or DPO, ensuring contents are not revealed to anyone else.

8. Data Sharing and International Transfers

Data sharing is carried out under a written agreement which sets out the scope and limits of the sharing.

  • Third-Party Processors:
    • Where third parties act as Data Processors (e.g., cloud providers, panel suppliers), a formal written contract (Data Processing Agreement or DPA) is required to ensure they meet UK GDPR standards and security measures.
  • Cross-Border Transfer:
    • Personal information must under no circumstances be sent outside of the UK without the prior permission of the Data Protection Officer. Transfers outside the UK/EEA occur only if the Company ensures the recipient is bound by legally enforceable obligations (such as Standard Contractual Clauses) to protect the data to a standard comparable to that under the UK GDPR.

9. Data Retention and Disposal

Personal Data shall not be kept for longer than required operationally or legally.

  • Retention:
    • We retain your information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law (e.g., legal, accounting, or reporting requirements).
    • Identifiable participant data: Typically retained for 12 to 24 months, after which it is securely deleted or anonymised.
    • Aggregated, anonymised research data: May be retained indefinitely for trend analysis.
  • Disposal:
    • Documents containing any personal information will be disposed of securely. Paper copies will be shredded, and information stored on obsolete electronic equipment will be erased prior to disposal.

10. Data Breach Management

The Company adheres to the requirements for breach notification set out by the ICO.

  • Reporting:
    • All employees must immediately report any suspected breach to the DPO.
  • ICO Notification:
    • If the breach is likely to result in a risk to the rights and freedoms of individuals, the DPO will report the breach to the ICO no later than 72 hours after becoming aware of it.
  • Data Subject Notification:
    • If the breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will inform the affected Data Subjects without undue delay.

11. Governance and Contact Information

  • Data Protection Officer (DPO):
    • The Company has someone with specific responsibility for data protection (the designated Data Controller/DPO). The DPO is responsible for overseeing compliance.
  • Training and Compliance:
    • All staff managing and handling personal information must be appropriately trained and supervised. The DPO ensures that methods of handling personal information are regularly assessed and evaluated.
  • Policy Review:
    • This Policy will be reviewed at least annually or immediately following significant changes in legislation or business practices.
  • Non-Compliance:
    • Any breach of this Policy will be taken seriously and may result in formal disciplinary action, up to and including termination of employment.

 

Contact Information: For questions or concerns regarding this policy, access requests, or withdrawal of consent, please contact the Data Protection Officer:

 

Data Protection Officer:

Karl Wagner

Kadence International Ltd

2 Valentine Place, London, SE1 8QH

kwagner@kadence.com

 

12. Approval and Implementation

 

Document Approval and Review Log

Review/Approval Date

Version no.

Approved By

Job Title

08/04/2026

DPP-UK-V1.0

Cindi Collett

Managing Director UK

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------

This Policy is effective as of 08/04/2026 and is subject to change as required by law or business needs.