top of page

MAIKAI  GDPR  POLICY 

Outline 

 

This policy has been produced to support Maikai in assuring GDPR is adhered to at every level of the organisation. Additionally, this policy will outline the roles and responsibilities of Maikai employees when it comes to GDPR compliance. 

​

Aim 

 

The aim of the Policy is as follows: 

 

Outline the Maikai method of informing consumers of what will be done with their data. 

 

Detail consumer rights regarding their data.  

​

Detail the method for gaining consent from consumers. 

​

Ensure GDPR policy is understood at all levels of the Maikai organisation.  

​​​​

​

1. Understanding GDPR:

 

This section aims to provide an overview of GDPR policy and what it protects.  

​

a. Summary: GDPR is a set of policies that are designed to protect the privacy of individuals in the EU and EEA by giving them control over their personal data and how it is used by the companies that have access to it. The key principles of GDPR are below: 

​

Transparency – Organisations must be clear about how they collect and use personal data.   

​

Lawfulness – Organisations must only collect data for legitimate reasons and with consent.  

​

Fairness – Individuals must be treated fairly and not discriminated against based on their data. 

​

Security – Organisations must implement appropriate safeguards to protect personal data.  

​

Accountability – Organisations must be accountable for their data processing activities.  

​

b. Individual Rights: GDPR policy outlines particular rights that individuals have with their data.  

​

Access – The right of the individual to be informed if personal data is processed, what data and receive access to the data as well as what purpose the data is being processed for.    

​

Rectification – The right for the individual to receive timely updates or corrections to inaccuracies in the personal data collected, and notification from the data processor when complete.  

​

Erasure – Individuals retain the right to be forgotten. Timely deletion of personal data that has been collected (with exceptions), and notification from the data processor when complete.  

​

Restriction of processing – Individuals retain the right to restrict the data processor from processing their data temporarily or permanently.  

​

Data portability – individuals retain the right to have a copy of the personal data retained by the organisation in a portable and readily usable format.  

​

Object – Individuals retain the right to object to the processing of personal data (including sharing, sale, or profiling)  

​

Automated decision-making – Individuals retain the right to request information about automated decision making and the likely outcomes of using it including profiling.  

​

Deny automated decision-making – Individuals retain the right to refuse the use of automated decision-making and the likely outcomes of using it including profiling.  

​

Non-discrimination – Individuals must be able to exercise their privacy rights.  

​

2. Data Privacy: 

 

The purpose of the data privacy section is to establish guidelines and practices that safeguard the privacy of individuals and protect the personal information collected, processed, and stored by Maikai in accordance with GDPR policy.   

​

a. Principles: Maikai adheres to the following privacy principles.  

​

    Lawfulness, Fairness And transparency: Ensure that the processing of personal data is lawful, fair and transparent to the data subjects.  

​

    Purpose limitation: Specify the purposes for which personal data is collected and ensure that it is not used for unrelated purposes.  

​

    Data minimisation: Collect only the necessary personal data required for the intended purpose.  

​

    Accuracy: Ensure that personal data is accurate and kept up to date. 

​

    Storage limitation: Define and adhere to specific timeframes for retaining personal data.  

​

b. Data Collection and Consent: Clearly communicate to individuals the purposes for collecting their personal data and obtain explicit consent before processing. Specify the methods for obtaining and documenting consent, and ensure that individuals can withdraw consent at any time.  

​

c. Data Security: Implement security measures to protect personal data from unauthorised access, disclosure, alteration and destruction. This includes encryption, access controls, and regular security assessments. 

​

d. Data Subject Rights: Respect and facilitate the exercise of data subject rights, including the right to access, rectification, erasure, and data portability.  

​

e. Third-Party Data Processing: If personal data is shared with third parties, ensure that appropriate contractual agreements are in place to safeguard the privacy and security of the date. Conduct due diligence checks on third-party data processors regarding their data protection practices.  

​

f. How Data is collected: Data will be collected only through approved means with explicit approval/consent from the individual. The following are methods of data collection that Maikai will use.  

​

Cookies: personal data will be obtained through the use of website cookies.   

​

Surveys: personal data will be collected through the use of Maikai Surveys.   

​

Services rendered: All of Maikai’s services rendered will incur an element of data collection from individuals, the level of this data collection will be extensively briefed to the individuals it relates to. 

​

Online forms: A number of online forms are likely to be utilised by Maikai in the pursuance of new business, the data captured will be extensively briefed to the individual it relates to.  

​

Customer accounts: During the registration process to one of Maikai’s services data will be captured during the creation of accounts.  

​

Transaction records: Data will be captured during any transactions conducted with Maikai business services.  

​

Social Media Platforms: Individuals who engage with Maikai social media accounts will have data logged on their engagement with such social media accounts.  

​

g. Data Privacy Officer (DPO): The data privacy officer is responsible for overseeing compliance with data protection laws, providing guidance, and acting as a point of contact for data subject and regulatory authorities. The DPO is to be appointed by the Policy Holder. 

 

3. Data Retention Policy:

 

The purpose of this section is to outline the principles and guidelines governing the retention of personal data collected and processed by Maikai. It ensures compliance with all data protection laws including GDPR.  

​

a. Applicability: This policy applies to all employees/contractors/third parties involved in the collection, processing and storage of personal data on behalf of Maikai.   

​

b. Legal Requirements: Maikai will retain personal data in accordance with applicable laws and regulations. The specific retention periods vary based on the nature of the data and legal requirements  

​

c. Consent Duration: Maikai will adhere to the consent duration specified at the time of collection. Renewed consent will be requested if data processing extends beyond the initial consent period.  

​

d. Business Necessity: Personal data necessary for ongoing business operations, legal obligations, or contractual requirements will be retained for the duration required to fulfil those obligations.  

​

e. Data retention: 

​

Customer Data – Personal data collected from customers will be retained for one year post termination of the customer relationship, unless a longer retention period is required by law or business necessity.  

​

Employee Data – Employee data, including HR records, will be retained for one year after termination of employment unless a longer retention period is required by law or business necessity.  

​

Marketing Data – Data collected for marketing purposes will be retained for three years after collection, unless individuals request erasure.  

​

Financial Data – financial records containing personal data will be retained for a period of 6 years to be compliant with UK financial regulations and auditing requirements. 

​

f. Secure Disposal: Personal Data that has reached the end of its retention period or is no longer necessary will be securely disposed of using methods that prevent unauthorised access, such as shredding or permanent deletion.  

​

g. Documentation of Disposal: A record of data disposal activities, including the type of data and the date of disposal, will be maintained for auditing and compliance purposes. 

​

h. Disciplinary actions: Any breach of personal policy will incur disciplinary actions. The severity of the action will be reflective of the breach. The disciplinary actions include but are not limited to, retraining, suspension, or termination of employment.   

​

i. Confidentiality agreements: It is the responsibility of Maikai employees to understand the nature of the work and the consequences of breaking confidentiality agreements. Breaking a confidentiality agreement will incur disciplinary actions that include but are not limited to, retraining, suspension, or termination of employment.   

​

4. Data Categories Classification:

 

The purpose of this section is to establish a framework for categorising the different classifications of data that Maikai will be collecting.   

​

a. Personal Data: Personal data refers to any information relating to an identified or identifiable natural person. This includes, but is not limited to, names, addresses, contact details, identification numbers and online identifiers.  

​

b. Sensitive Personal Data: Sensitive personal data, also known as special categories of personal data under GDPR, includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation.  

​

c. Financial Data: Financial Data encompasses information related to an individual’s financial transactions, accounts, and financial status.  

​

d. Employee Data: Employee data includes information related to individuals engaged in employment or contractual relationships with the organisation.   

​

e. Customer Data: Customer data pertains to information about individuals who engage in transactions or interactions with the organisation as customers or clients. 

​

f. Marketing and Communication Data: Marketing and communication data includes information collected to marketing purposes and communication with individuals.  

​

5. Purposes of Data Collection:

 

Maikai collects and processes personal data for specific and lawful purposes. This section outlines the primary reasons for which data is collected and the intended use for the information.  

​

a. Alignment with Legal Requirements: the purposes outlined below are in accordance with applicable data protection laws, including GDPR and are designed to respect individual privacy rights.  

​​

b. Customer Data:  

​​

Sales and Service Delivery – the collection of customer data is primarily for the purpose of facilitating sales transactions, delivering products or services, and ensuring a seamless customer experience.  

​​

Customer Support – Personal data may be used to provide customer support, address inquiries, resolves issues, and enhance overall customer satisfaction.  

​​

Communication – Customer contact details may be used or communication purposes, including order confirmations, updates, and promotional offers, in accordance with preferences.  

​

c. Employee Data:  

​

Employment Process – Employee data is collected for the management of employment relationships, including recruitment, on boarding, performance management and payroll processing.  

​

Benefits Administration – Personal data may be used for administering employee benefits, such as health insurance, retirement plans, and other related programmes.  

​

Compliance with Employment Laws – Employee data is processed to ensure compliance with applicable laws, regulations, and contractual obligations.  

​

d. Marketing and communication:  

​

Direct Marketing – Personalised data may be utilised for direct marketing purposes, including sending promotional materials, newsletters, and updates about products or services.  

​​

Customised Communication – Data may be analysed to tailor marketing communication, providing individuals with relevant and personalised content based on their preferences and behaviours.  

​

e. Technical and usage data:   

​

Website and Application functionality – Technical data, such as IP addresses and device identifiers, is collected to ensure proper functioning and security of Maikai website and applications.   

​

Analytics and improvement – usage data is analysed to gain insights into user behaviour, improve services, and enhance the user experience on digital platforms.   

​

f. Legal Compliance:   

​

Legal obligations – personal data may be processed to comply with legal obligations, regulatory requirements, and obligations imposed with by government authorities.  

​

Contractual Necessity – data collected and processing may be necessary for the performance of contracts with individuals or in anticipation of entering into contractual relationships.  

​

g. Security and Fraud prevention:   

​

Security Measures – personal data is processed to implement security measures, prevent unauthorised access, and protect against fraudulent activities.  

 

Authentication – data may be used for user authentication and authorisation purposes, ensuring that only authorised individuals access certain functionalities or services.  

 

h. Research and development:   

 

Product and service improvement – Personal data may be used for research and development purposes to improve existing products, services, or to innovate new offerings.  

 

Data analysis – Aggregated and anonymised data may be analysed to identify trends, preferences and areas for the improvement in Maikai products and services.  

​

6. Sharing of data with third parties:

 

Maikai is committed to transparency and accountability in its data handling practices. This section provides on whether and how personal data is shared with third parties.  

 

a. Third-Party relationships: We may engage with third-party service providers, partners, and other entities to facilitate various business operations. 

 

b. Change Control Procedures: All changes to the Maikai SharePoint and Teams functionality must be approved by the policy holder.  

 

c. Service Providers: Maikai may engage with external service providers to perform certain functions on our behalf, such as IT support, payment processing, marketing and analytics 

 

d. Business partners: In certain cases, we ay collaborate with business partners to offer joint products or services. Data sharing with partners will be limited to what is necessary for the collaboration.  

 

e. Legal and regulatory entities: Personal data may be shared with legal or regulatory entities, law enforcement agencies, or government authorities as required by law or in response to legal requests.   

 

f. Third-Party Applications: Users may choose to connect their accounts on Maikai’s platforms with third-party applications. In such cases, data may be shared based on user consent and the terms of the third-party application.   

 

g. Training programmes: It is Maikai’s responsibility to provide training programs for system administrators and IT staff on secure systems management practices. Once the training has been completed it is the responsibility of the employee to ensure these practices are adhered to.  

 

h. Data protection agreements: Before sharing data with third parties, Maikai wil establish data protection agreements to ensure that the third parties adhere to the same level of data protection standards and security measures.  

​

7. Valid Consent: 

 

The purpose of this section is to establish how Maikai will obtain valid consent from users with regard to the utilisation of their data.  

​

a. Explicit: Active acceptance is required, clicking accept button, ticking a box etc.  

​

b. Informed: The user must be informed of who will have access to the data, what will be done with their data, why is their data being used, and for how long will the data be held.   

​

c. Documented: All consent gained must be documented with time and date.  

​

d. Granular: Individual consent for individual purpose. Consent cannot be bundled with other purposes or activities.  

​

e. Freely given: Equal accessibility of the Accept and Deny options. 

​

f. Ease of withdrawal: Changing consent or opting out must be as easy to do as opting in.  

​

g. Nonessential cookies: Nonessential cookies or other tracking technologies on websites, apps, and other services cannot be triggered or loaded until valid user consent has been obtained.   

​

8. Denial of consent: 

 

The purpose of this section is to establish guidelines and measures to ensure users have access to Maikai services without giving consent for their data to be utilised.  

 

a. User Access: Users must be allowed to access Maikai services without giving consent to their data being used.  

 

b. Cookies: If a user refuses data processing, no nonessential cookies can be set. 

 

c. Re-opt: If an individual has opted out of data sharing/processing a re-opt option can be provided in 12 months.    

 

9. Policy review: 

 

The purpose of this section is to outline how Maikai will continuously improve its policy and update it as required.   

 

a. Review: A review of all operations and changes in the law must be conducted every 12 months. This will incorporate an update of Maikai’s privacy policy to ensure adherence to relevant legal requirements. An effective date must be included even if there are no changes to the policy.  

​

b. Transparency: Ensure that all the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.   

 

c. Data sold: A list of all the personal data that has been sold must be produced every 12 months.   

 

10. Distribution: 

 

All policy is distributed to all Maikai employees, contractors and third parties to ensure adherence at every level and for each individual to understand their role in ensuring compliance.  

bottom of page