Data Protection and Privacy Policy
Last updated: 5 August 2024
At Keeble Brown (“we,” “us,” or “our”), we are committed to protecting and respecting your privacy. This Data Privacy and Protection Policy explains how we collect, use, process, share, and protect your personal information in accordance with the applicable data protection laws in the United Kingdom.
Keeble Brown Ltd is a registered data controller. Registration number: Z3330986
1. Information we collect
We collect and process personal data to provide our services and improve your experience with our agency. The types of information we collect may include:
- Personal information such as names, email addresses, and phone numbers.
- Professional information related to your company or organisation.
- Data you provide through our website, contact forms, or via email.
2. How we use your information
We use your personal data for the following purposes:
- To respond to your enquiries and provide the services you request
- To send you marketing and promotional materials if you have given your consent.
- To improve our website and services based on your feedback.
- To comply with applicable legal and regulatory requirements.
3. Sharing your information
We may share your personal information with trusted third parties, including:
- Service providers who assist us in delivering our services
- Legal and regulatory authorities when required by law.
4. Data security
We have implemented security measures to protect your personal data. However, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot guarantee its security.
5. Cookies and tracking
We may use cookies and similar tracking technologies to collect information about your interactions with our website. You can manage your cookie preferences by adjusting your browser settings.
6. Your rights
6.1 Under the Data Protection Act 2018 (DPA) which implements the General Data Protection Regulation (GDPR) in the UK, you have certain rights regarding your personal data. These include the right to access, rectify, or delete your data, as well as the right to object to or restrict its processing.
6.2 Data collected under the National Planning Policy Framework 2021 (NPPF)
Where Keeble Brown collects, uses, manages and retains personal information in relation to planning applications and public consultations under the NPPF we do this on the basis of public task and following the principles of the ICO. These principles can be summarised as:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability
To exercise these rights or make inquiries about your data, please contact us at hello@keeblebrown.com
7. Data Retention
We are committed to retaining your personal data only for as long as it is necessary for the purposes for which it was collected, as well as to comply with legal, regulatory, or business requirements. The specific retention periods may vary depending on the type of data and its intended use.
Our general data retention principles are as follows:
- Personal data collected for marketing and promotional purposes: We retain this data as long as it is relevant and necessary for the purpose for which it was collected. If you choose to withdraw your consent for marketing communications, we will promptly cease such communications.
- Personal data related to the provision of our services: We will retain data necessary to deliver our services and maintain a business relationship. This may include data such as contact information, professional details, and relevant correspondence.
- Financial and tax records: In compliance with tax laws and regulatory requirements, we will retain financial data and tax records for a period specified by law.
- Website Usage Data: Data collected through cookies and tracking technologies may have varying retention periods depending on their specific purposes, which are described in our website Terms and Conditions.
We regularly review our data retention practices to ensure that personal data is not kept for longer than necessary. Once the data is no longer required for its intended purpose, we will either anonymize it or securely delete it.
If you have any questions regarding our data retention practices or wish to request the deletion or modification of your personal data, please contact us using the contact information provided below.
Please note that there may be legal or regulatory requirements that necessitate us retaining certain data for longer periods.
8. Changes to this Policy
We may update this Data Privacy and Protection Policy from time to time to reflect changes in our practices or for legal and regulatory reasons. The date of the latest update will be displayed at the top of this policy.
9. Contact us
If you have any questions, concerns, or requests regarding this Data Privacy and Protection Policy, please contact us at:
Keeble Brown
86-90 Paul Street
London EC2A 4NE
Our commitment to compliance
Here are the steps that Keeble Brown has taken to ensure it complies with the DPA 2018, implementing the GDPR.
Keeble Brown Ltd will:
- Make sure that all people in the company, including those outside of the IT department, appreciate the importance of data protection and compliance with DPA 2018.
- Document the personal data held, where it came from, and who it is shared with. An information audit will be organised when necessary.
- Review current privacy notices and make any necessary changes.
- Check procedures to ensure that the accommodation of the rights of individuals are provided with their personal data in a commonly used format, and that deletion of data is possible on request.
- Update procedures so that requests can be handled in accordance within required timescales
- Identify the lawful basis for processing activity in the GDPR, document it, and update the company’s privacy notice to explain it.
- Review how consent is sought, recorded, and managed. The company will continually assess whether process changes are needed.
- Consider how to verify individuals’ ages and how parental or guardian consent can be obtained for any data processing activity.
- Implement procedures to detect, report, and investigate a personal data breach.
- Understand when to carry out a Data Protection Impact Assessments (DPIA)
- Designate someone to take responsibility for data protection compliance and consider whether a formal Data Protection Officer is required.
- Determine data protection supervisory authority.
In addition, Keeble Brown’s management has paid particular attention to the significance of:
- Articles 23 and 30 –require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 and 32 – specify requirements for single data breaches: Keeble Brown, as a data controller, must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires Keeble Brown to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 and 33a –require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Keeble Brown is not required to appoint a Data Protection Officer in accordance to these guidelines. However, we do require all employees to know and understand the GDPR in relation to the data we control.
- Articles 36 and 37 – outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79 – outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
The directors of Keeble Brown will continue to follow the advice of the ICO on matters of data protection. Changes to the regulations, including the changes arising following the UK’s departure from the European Union, are and will be adopted into Keeble Brown policy.