GDPR Privacy Policy


At KCHR I am committed to protecting and respecting your privacy. This Policy explains when and why I collect and process personal information about those who enquire about my services how I use it; the conditions under which I may disclose it to others and how I keep it secure. I may change this Policy from time to time so please check this periodically to ensure that you understand any changes. Any questions regarding this Policy should be sent by email to or by telephone 07912 946 574.


KCHR Isle of Wight Ltd is led by Kathy Chillistone MCIPD, the Owner-Director. Kathy provides advice to employers and employees across the broad area of Human Resources. The Company No. is 12113150 and the registered address is 47 Bellevue Road, Cowes Isle of Wight PO31 7HJ.


I will comply with data protection law. This says that the personal information I hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that I have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes I have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes I have told you about.
  6. Kept securely.


Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data which require a higher level of protection.

I will collect, store, and use the following categories of personal information about you, your business, your Employees, Workers, Directors, Trustees, Partners, Volunteer, Contractors and Self-Employed persons:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Date of birth.
  • Marital status and dependents.
  • Salary, annual leave, pension and benefits information.
  • Start date.
  • Location of employment or workplace.
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
  • Employment records (including job titles, work history, working hours, training records and professional memberships).
  • Compensation history.
  • Performance information.
  • Disciplinary and grievance information.
  • Grievances and grievance information.
  • Disciplinary and disciplinary information.
  • Termination information.
  • Pension information.
  • Maternity, paternity, adoption and other type of family leave information.
  • Employment Tribunal information.
  • Correspondence with your Employer, their representative, with Employees, Workers, Directors, Trustees, Partners, Volunteer, Trade Union, Employment Tribunal, Contractors and Self-Employed persons

I may also collect, store and use the following “special categories” of more sensitive personal information:

  • Trade union membership.
  • Information about your health, including any medical condition, health and sickness records.
  • Information about criminal convictions and offences.
  • Information about disability.


  • I collect personal information either directly from you or from Employees, Workers, Directors, Trustees, Partners, Volunteer, Contractors and Self-Employed persons directly.
  • I may also collect information from your witnesses or contacts where directed by you.
  • I will collect additional personal information while providing advice and assistance.


I will only use your personal information when the law allows me to. Most commonly, I will use your personal information or the personal information of Employees, Workers, Directors, Trustees, Partners, Volunteers, Contractors and Self-Employed persons in the following circumstances:

  1. Where I need to perform the contract, I have entered with you.
  2. Where I need to comply with a legal obligation.
  3. Where it is necessary for my legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

I may also use your personal information in the following situations, which are likely to be rare:

  1. Where I need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest.

In most cases I will use the personal information listed above to provide you with advice and assistance and therefore the primary reason for using the information is to perform my contract with you. I may also use your data to

  • Send you updates via my newsletter and blog;
  • Process orders that you have submitted through my website;
  • Carry out my obligations arising from any contracts entered into;
  • Notify you of changes to my services;
  • Send you communications which you have requested and that may be of interest to you. These may include fact sheets or guides relating to your enquiry which you have requested.
  • Manage and administer classroom and online training courses.

Change of purpose

I will only use your personal information for the purposes for which I collected it, unless I reasonably consider that I need to use it for another reason and that reason is compatible with the original purpose. Please note that I may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


“Special categories” of particularly sensitive personal information require higher levels of protection. I need to have further justification for collecting, storing and using this type of personal information. I may process special categories of personal information in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. Where I need to carry out my legal obligations and in line with my Data Protection Policy.
  3. Where it is needed in the public interest, such as for equal opportunities monitoring and in line with my Data Protection Policy.
  4. Where it is needed as part of your case or to provide advice and assistance about an employee, worker, self-employed person or other in your business or organisation. 
  5. Less commonly, I may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.


I will not share your data with third parties unless I have obtained your permission in advance or I are required to disclose or share information by law, because of a regulatory requirement or to my insurer.

I require third parties to respect the security of your data and to treat it in accordance with the law.

Why might I share your personal information with third parties?

  • I will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where I have another legitimate interest in doing so.
  • I may transfer your personal information to a third party as part of a sale of some or all our business and assets to any third party or as part of any business restructuring or reorganisation.


I have put in place measures to protect the security of your information. Details of these measures are available upon request via / 07912 946 574. I have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.


  • I will only retain data for as long as necessary to fulfil the purposes I collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, I consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which I process your personal data and whether I can achieve those purposes through other means, and the applicable legal requirements.
  • In some circumstances I may anonymise your personal information so that it can no longer be associated with you, in which case I may use such information without further notice to you. Once you are no longer a client I will retain and securely destroy your personal information in accordance with applicable laws and regulations and our data retention policy.
  • I will review our retention periods for personal information on a regular basis. I are legally required to hold some types of information to fulfil my statutory obligations. I will hold your personal information on my systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with me.
  • Client data and associated data about Employees, Workers, Directors, Trustees, Partners, Volunteer, Contractors and Self-Employed persons: Will be retained for 7 years after the closure of your file. All paper documents are scanned, and these will be stored electronically on the cloud. Once I have scanned the file the documents will be destroyed.
  • Data about Employees, Workers, Directors, Trustees, Partners, Volunteer, Contractors and Self-Employed persons will be reviewed every 6 months to ascertain if it can be returned to you or if it can be destroyed at an earlier date.
  • Prospective client data or enquiries: if no file is opened it will be destroyed after 12 months.


If you purchase an online product from me, your card information is not held by us, it is collected by my third-party payment processors, PayPal, who specialise in the secure online capture and processing of credit/debit card transactions. For more information about PayPal’s policy you can find the details here:


Cookies are small files which are stored on your computer when you browse the internet. They enable me to understand how my website is being used and help me to improve the way my website works, ensuring the best content to you.

How do I use Cookies?

  • My website requires the use of cookies to function correctly and provide convenient access to the best content.
  • I do not use the data from cookies for marketing purposes and do not allow advertising from third parties on my website which the data from cookies can often be used for.
  • Although I do not have any intention of using the data from Cookies at this time it is possible that I could do so in the future. If this happens I will update this policy and my Cookies notice accordingly.

Access to your information

  • You have various rights in respect of your personal information under data protection law. At any time, you may request access to any information that I hold about you.
  • Under data protection laws you have a legal right to ask to see a copy of the personal information that I hold about you, known as a subject access request.
  • If you would like to make a subject access request, please contact me by email


  • If I provide you with advice over the telephone or by email I will retain details of our discussions and advice for up to 6 months. The reason for holding it for this period is in case you come back to me for advice in the future or if you have any queries or questions about the information or advice I have given you.
  • After 6 months all data will be destroyed securely.


When I enter into a contract for service with new clients, I will collect personal data about you and other people involved. I need this information to enter into a contract with you and to provide you with advice.

As a client if you provide me with personal data about any other individuals, this is kept strictly confidential. It is the responsibility of the client to ensure that personal data about others is accurate.


It is important that the personal information I hold about you is accurate and current whilst I am assisting you. Please keep me informed if your personal information changes during your working relationship with me. Your rights in connection with personal information under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information I hold about you and to check that I am lawfully processing it.
  • Request correction of the personal information that I hold about you. This enables you to have any incomplete or inaccurate information I hold about you corrected.
  • Request erasure of your personal information. This enables you to ask me to delete or remove personal information where there is no good reason for me to continue to process it. You also have the right to ask me to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information where I are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where I am processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask me to suspend the processing of personal information about you, for example if you want me to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that I transfer a copy of your personal information to another party, please contact me in writing via

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, I may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, I may refuse to comply with the request in such circumstances.

What I may need from you

I may need to request specific information from you to help me confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.


In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact me at Once I have received notification that you have withdrawn your consent, I will no longer process your information for the purpose or purposes you originally agreed to, unless I have another legitimate basis for doing so in law.


I, Kathy Chillistone, am the appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how I handle your personal information, please contact me via You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.


I reserve the right to update this privacy notice at any time, and I will provide you with a new privacy notice when I make any substantial updates. I may also notify you in other ways from time to time about the processing of your personal information.


I will not contact you for marketing purposes by post, email, phone or text message unless you have given your prior consent. You can change your marketing preferences at any time by contacting me via email or by calling 07912 946 574.


My use of personal data and relevant policy will be reviewed regularly to ensure compliance. This policy was last updated on 1st July 2020. When changes are made to this policy, I will publish the changed policy on my website with details of the changes.