Did we use a word or phrase in our privacy policy that you didn’t understand but isn’t defined here? Sorry about that. Please do let us know and we’ll either reword the sentence or add a definition.
Our privacy policy uses some data protection-related words and phrases that you might not be familiar with, so we’ve defined them here for quick reference:
Consent (as it relates to data protection): this is one lawful basis that companies may use for processing your personal data. It means you have explicitly opted-in (e.g. by ticking a box) to this specific type of processing and you must have done so freely. If you change your mind later, you can withdraw your consent at any time. The ICO has a more complete definition of consent.
Contract (as it relates to data protection): this is one lawful basis that companies may use for processing your personal data. It means that the company needs to process your data to fulfil their contractual obligations to you or because you asked them to do something before potentially entering into a contract. Before you join our service, we tell you about all the things we would do for you if you did so. This promise that we make to you creates a contractual obligation. The ICO has a more complete definition of contract.
CRM (or ‘Customer Relationship Management’ software): a database where we store data about our customers. We use CRM to manage our relationships with our customers securely and smoothly.
Data controller: a company who determines the purposes and means of processing personal data. Key is a data controller.
Data processor: a company who is responsible for processing personal data on behalf of a controller. We have published a list of our data processors.
General Data Protection Regulation (or GDPR for short): a law that governs data protection and privacy for all individuals in the European Union. It came into force on 25th May 2018. You can read it online (it might take a while, mind you…).
The Information Commissioner’s Office (ICO): an independent body that was formed to uphold information rights and promote data privacy in the UK. They are responsible for enforcing the GDPR in this country and our privacy policy was created in line with their guidance.
Key: when we say ‘Key’, ‘we’ or ‘us’, we are referring to KPPES Ltd (SC349485), Key Payment Services (SC540979) and Key Payroll Ltd (SC432987). This is a joint privacy policy for all three companies.
Lawful basis: companies must have a valid lawful basis to process personal data. There are six lawful bases that can be used, and businesses choose the most appropriate one for each situation. If no lawful basis applies, the processing cannot take place. The ICO explains this in more detail.
Legal obligation: this is one lawful basis that companies may use for processing your personal data. It means that the company has an obligation to carry out the processing because there is a specific legal provision or source of guidance that tells them they must do so. The ICO has a more complete definition of legal obligation.
Legitimate interests: this is one lawful basis that companies may use for processing your personal data. It can be used when the organisation believes that the processing is in either their own or someone else’s best interests, but only if the individual would reasonably expect their data to be used in this way and it has a minimal privacy impact on them. The organisation takes on extra responsibility for considering and protecting the individual’s rights and interests and must be able to demonstrate that they’ve done so. You have the right to object to any processing that is based on legitimate interests. The ICO has a more complete definition of legitimate interests.
Personal data: basically, it’s any information about you that could identify you, either directly or indirectly. It includes everything from your name and email address to the cookies that are placed on your device when you visit a website.
Privacy and Electronic Communications Act (or PECR for short): a law that gives people specific privacy rights in relation to electronic communications, like marketing emails and cookies. These rights are in addition to the rights that the GDPR provides. It is enforced by the ICO.
Processing data: this covers anything that a business does with an individual’s data. Broadly, it means collecting, using, disclosing, retaining or disposing of their personal data.
Public task: this is one lawful basis that companies may use for processing your personal data. It applies only when they exercise official authority or they’re acting in the public interest and as such, we don’t rely on this particular lawful basis for any of our data processing. The ICO has a more complete definition of public task.
Special categories of personal data: this is data that the GDPR considers to be more sensitive than other types of data and so needs to be better protected. This includes information about your health, sexual orientation, religion and trade union membership. The ICO explains in more detail on their website.
Vital interests: this is one lawful basis that companies may use for processing your personal data. It applies only when they need to protect someone’s life. The ICO has a more complete definition of vital interests.