Q3 CLIENT SPOTS 1/4 LEFT . LET'S TALK →
// Active Protocol

Data Protection and Privacy Policy

Purpose

Kickass Online Ltd ('KO') is committed to protecting the personal data of its employees, clients, suppliers, and other individuals. This policy sets out how KO complies with the UK General Data Protection Regulation (UK GDPR) as retained and amended by the Data Protection Act 2018 (DPA 2018).

Data Protection Principles

KO processes all personal data in accordance with the following UK GDPR principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation — collected for specified, explicit, legitimate purposes only
  3. Data minimisation — adequate, relevant, and limited to what is necessary
  4. Accuracy — kept up to date
  5. Storage limitation — not kept longer than necessary
  6. Integrity and confidentiality — appropriate security
  7. Accountability — KO can demonstrate compliance

Lawful Basis for Processing

KO will identify and document an appropriate lawful basis for each category of processing. For employee data, the most common bases are: performance of a contract (e.g. payroll); legal obligation (e.g. right-to-work checks); and legitimate interests (e.g. network security monitoring).

Special Category Data

Processing of special category data (including health data, racial or ethnic origin, and trade union membership) requires an additional condition under UK GDPR Art.9, most commonly explicit consent or the employment law exemption. Such data will be processed with heightened security measures.

Data Retention

Personal data will be retained only for as long as necessary for the purpose for which it was collected, and in compliance with legal obligations. Indicative retention periods:

  • Employee personnel files: duration of employment plus 6 years
  • Payroll records: 6 years (Taxes Management Act 1970)
  • Recruitment records (unsuccessful applicants): 12 months
  • CCTV footage: 30 days unless required for an incident
  • Accident records: 3 years from date of incident (RIDDOR); 21 years if involving a child

Data Subject Rights

Individuals have the following rights under UK GDPR, which KO will fulfil within the statutory timeframes (generally 1 month): Right of access; Rectification; Erasure ('right to be forgotten'); Restriction of processing; Data portability; Objection to processing; and rights related to automated decision-making.

Data Breach Notification

  • In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, KO will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
  • Where the breach is likely to result in a high risk to individuals, affected individuals will also be notified without undue delay.
  • All breaches (whether notifiable or not) will be recorded in an internal breach register.

Supervisory Authority

The UK supervisory authority for data protection matters is the Information Commissioner's Office (ICO). Individuals who believe their data protection rights have not been respected may raise a complaint with the ICO at ico.org.uk.

Data Protection Lead

KO has appointed a Data Protection Lead: Panagiotis Zmpigknief Zavatzki (pazbi@kickassonline.com).

Note: as KO does not currently meet the UK GDPR criteria for a mandatory Data Protection Officer (Art.37), this role is a voluntary lead position.

Policy Review

This policy will be reviewed annually or when legislation changes.

Last reviewed: May 2026.

COMPLIANCE VERIFIED.

You've read the rules of engagement. Now let's architect your conversion engine.
INITIATE SECURE COMMS
magnifiercross