This Privacy / Data and Cyber Security Policy details how Kojima Ltd uses and protects any data and/or information that you, as our customer, provide to us as part of any of our services. The rationale of having this policy is to protect and respect the data provided to us by our customers.
As an Island-based business, we recognise the importance of personal privacy and are experienced in working in close-knit communities and in partnership with our customers to ensure that personal privacy is protected. Should customers provide data and/or information by which an individual can be identified when using our services we will only use it in accordance with this policy. Our rules and procedures governing personal data are subject to the laws of Jersey and, in this instance, the Data Protection (Jersey) Law 2018 and associated regulations and orders and any successor law to the Data Protection (Jersey) Law 2018 (together the ‘Data Protection Law’). We are registered as a holder of personal data in relation to our customers and contacts under the Data Protection Law.
Our ‘digital by default’ philosophy also means that we are committed to ensure that your information is secure from cyber threats. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect, process and store.
Kojima Ltd may update this policy from time to time, and always provide the latest version on our website.
Any individual who is the subject of personal data is the data subject, this can include your employees, contractors, agency workers and other personnel depending on the services provided by us, and the scope of work as agreed within the schedule of our contract. You are the data controller and we are the data processor based on the arrangements set out in the contract we have with you. In the context of the Data Protection Law, we are the data processor. However, there may be other circumstances where we are the data controller.
We process personal data to provide services to our customers, which vary depending on the particular agreed services detailed within the contract between us and our customer.
General consulting services and survey subscription
For our general consulting services and survey subscription, the personal data and/or information we collect and hold includes customer contact details, that is, the primary contact’s name, job title, email address and telephone number as well as those for any other key personnel authorised by our customers to work directly with us. We also hold the name and address of the customer organisation.
The primary purpose of collecting and holding this data is for internal record keeping as well as the efficient delivery of services. We may, from time to time, use this data to contact our customers to inform them of other market research initiatives, or other information which we think customers may find interesting using the telephone and email address provided. Customers may unsubscribe from the email listing at any time.
Analytical consulting and survey analysis
For any data analytics involved in our consulting services and/or the survey data analysis we only collect data, employee data and information that is necessary for the purposes of analysing trends and aggregated data measures. This may include some or all of the following:
We may hold a limited amount of sensitive personal data such as ethnicity where available.
We do not collect employee names directly, however, we may be made aware of name(s) of particular post holder(s) indirectly through discussions with customers, or due to there being a limited number of posts within certain organisations.
Data and/or information will only be used for the purpose for which it is collected. We do not share personal data in its raw format with any third party except to subcontractors we may be using to deliver services to you. Any sub-contractors are contractually bound to the same duty of care. We will not distribute any personal data to third parties unless we have your direct permission or are required by law to do so.
For further information on Uploading content to our site, please see our Terms of Website Use
All the personal data is stored on a secure cloud based system. We confirm that we have entered into a formal agreement with a provider of the cloud based system that is ensures the provision of the necessary security measures in compliance with the Data Protection Law. As between you and us, we shall remain fully liable for all acts or omissions of any third-party processor appointed by us.
The duration that we hold the data you provide us will depend on the services we are providing and will only be for as long as required to provide that service.
Any data provided under a specific consultancy project will generally be held for 24 months, to enable our customers to access this data for audit purposes.
Data provided for our survey analysis / benchmarking services may be held for longer, up to ten years, to enable the analysis of historical trends on aggregated data sets.
You are responsible for ensuring that the data you provide to us is accurate, and to the extent that it is necessary that it is maintained so it remains accurate. We are responsible for ensuring that we update our records in order that we only process the most up to date data except where we have maintained historical records for statistical analysis purposes.
Access to our systems hosting personal data utilises 2-step verification, and is authorised by the system administrator. On the rare occasion data is to be processed away from the cloud, the system administrator will ensure adequate security measures are put in place.
To help prevent malware, the email system used by Kojima runs automatically scans every attachment for viruses across multiple engines prior to a user downloading it. It also checks for viruses in attachments queued for dispatch. This helps to protect everyone who uses email and prevents the spread of viruses.
The cloud-based system that hosts the personal information collected by Kojima offers data encryption and continuous system monitoring and alerts to suspicious device activity. The administrator has the ability to b-lock access from lost or stolen mobile devices.
Customers can request any Personal Data relevant to them that we hold, which we do not have a legitimate reason to retain, to be erased or may request that any inaccuracies in the data we hold are corrected by contacting Kojima in writing. It may not be possible to comply with this request if there is an ongoing legal basis to retain such Personal Data. The most common legal basis would be the retention of records to meet local regulations, our insurers’ requirements or we have a specific policy requirement to retain records for a minimum of 10 years. Should a request be agreed to, then it will be completed with one month.
You can opt out of receiving any communication from Kojima by notifying us in writing.
Customers who have any concern over the handling of their Personal Data can contact Kojima by e-mailing firstname.lastname@example.org.
We will respond within 1 month to the extent required and subject to compliance with our obligations under the Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. This would be extended if there was a delay in Kojima receiving information relating to the request.
You have a right to bring a complaint to Jersey’s Information Commissioner in relation to the processing of your Personal Data.
Our main website may contain links to other websites of interest. However, once customers leave our site we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information provided to that site and such sites are not governed by this privacy statement. Customers should exercise caution and look at the privacy statement applicable to the website in question.
This policy will be kept under review and, we may, at any time revise this Policy or replace it. This policy was written in May 2018 and updated in October 2018.