GDPR Compliance

Information about our gdpr compliance

Last updated: 8/21/2025

Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how organizations collect, use, store, and protect personal data of individuals in the European Union (EU) and European Economic Area (EEA).

KitchenRoles is committed to GDPR compliance and protecting the rights and freedoms of individuals whose personal data we process.

Our Role and Responsibilities

As a Data Controller

When we collect and process personal data directly from users (job seekers, employers), we act as a Data Controller and are responsible for:

Determining the purposes and means of processing
Ensuring lawful basis for processing
Protecting data subjects' rights
Implementing appropriate security measures
Maintaining records of processing activities

As a Data Processor

When we process data on behalf of our business customers (employers posting jobs), we may act as a Data Processor and:

Process data only on documented instructions
Ensure confidentiality of personnel
Implement appropriate security measures
Assist with data protection impact assessments
Delete or return data after service ends

Lawful Basis for Processing

We process personal data under the following lawful bases:

1. Consent (Article 6(1)(a))

Newsletter subscriptions
Marketing communications
Cookie preferences
Job alert notifications

2. Contract (Article 6(1)(b))

Account registration and management
Job application processing
Service delivery to employers
Payment processing

3. Legal Obligations (Article 6(1)(c))

Tax and accounting records
Compliance with court orders
Regulatory requirements

4. Legitimate Interests (Article 6(1)(f))

Fraud prevention and security
Service improvements
Direct marketing (with opt-out)
Network and information security

Data Subject Rights

Under GDPR, individuals have the following rights:

1. Right to Access (Article 15)

Request a copy of your personal data
Understand how and why we process it
Verify the lawfulness of processing

How to exercise: Contact us with proof of identity

2. Right to Rectification (Article 16)

Correct inaccurate personal data
Complete incomplete personal data
Update outdated information

How to exercise: Update via account settings or contact us

3. Right to Erasure/"Right to be Forgotten" (Article 17)

Request deletion of personal data when:
- No longer necessary for original purpose
- Consent withdrawn
- Unlawful processing
- Legal obligation to erase

Limitations: May not apply if processing is necessary for legal obligations or legal claims

4. Right to Restrict Processing (Article 18)

Limit how we use your data
Applies when:
- Accuracy is contested
- Processing is unlawful
- We no longer need the data
- Objection pending verification

5. Right to Data Portability (Article 20)

Receive your data in structured, machine-readable format
Transfer data to another controller
Applies to automated processing based on consent or contract

6. Right to Object (Article 21)

Object to processing based on legitimate interests
Object to direct marketing (absolute right)
Object to processing for research/statistics

7. Rights Related to Automated Decision-Making (Article 22)

Not be subject to solely automated decisions with legal effects
Request human intervention
Express your point of view
Contest the decision

Data Processing Activities

Types of Data We Process

Identity Data: Name, username, date of birth
Contact Data: Email, phone, address
Professional Data: CV, work history, qualifications
Technical Data: IP address, browser type, device information
Usage Data: How you use our services
Marketing Data: Preferences and subscriptions

Processing Purposes

Service provision and management
Communication and support
Legal and regulatory compliance
Marketing (with consent)
Analytics and improvements
Security and fraud prevention

Data Retention

We retain personal data only as long as necessary:

Active accounts: Duration of account activity
Job applications: 12 months after submission
Marketing lists: Until opt-out or 3 years of inactivity
Legal records: As required by law (typically 6-7 years)
Cookies: See our Cookie Policy

International Data Transfers

When we transfer data outside the EEA, we ensure protection through:

Standard Contractual Clauses (SCCs)

EU Commission-approved contracts
Ensure equivalent protection
Regularly reviewed and updated

Adequacy Decisions

Transfers to countries deemed adequate by EU Commission
No additional safeguards required

Your Rights Regarding Transfers

Be informed about transfers
Request information about safeguards
Lodge complaints about transfers

Data Protection Measures

Technical Measures

Encryption at rest and in transit
Access controls and authentication
Regular security testing
Intrusion detection systems
Backup and recovery procedures

Organizational Measures

Staff training and awareness
Confidentiality agreements
Data protection policies
Regular audits and reviews
Incident response procedures

Data Breach Procedures

In case of a personal data breach:

Our Obligations

To Supervisory Authority: Notify within 72 hours if risk to rights and freedoms
To Data Subjects: Notify without undue delay if high risk
Documentation: Maintain records of all breaches

Breach Response

Immediate containment and recovery
Assessment of risk and impact
Notification to authorities and affected individuals
Investigation and remediation
Review and improve security measures

Privacy by Design and Default

We implement data protection principles from the outset:

Data Minimization: Collect only necessary data
Purpose Limitation: Use data only for stated purposes
Accuracy: Keep data up to date
Storage Limitation: Delete when no longer needed
Security: Protect against unauthorized access
Accountability: Demonstrate compliance

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs when:

Using new technologies
Processing likely to result in high risk
Large-scale processing of special categories
Systematic monitoring of public areas

Third-Party Processors

We carefully select and monitor third-party processors:

Our Requirements

Written processing agreements
Appropriate security measures
GDPR compliance demonstration
Audit rights
Breach notification procedures

Categories of Processors

Cloud hosting providers
Payment processors
Email service providers
Analytics platforms
Customer support tools

Children's Privacy

Our services are not directed at children under 16
We do not knowingly collect children's data
Parents may contact us to remove children's data
Age verification measures where appropriate

Supervisory Authority

For EU/EEA residents, you have the right to lodge complaints with your local supervisory authority:

Lead Authority: [Your relevant supervisory authority]

Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

Data Protection Officer (DPO)

While we may not be legally required to appoint a DPO, we have designated a privacy contact:

Privacy Contact:

Responsibilities:

Monitor GDPR compliance
Conduct privacy training
Cooperate with supervisory authorities
Act as point of contact for data subjects

Your Rights in Practice

How to Exercise Your Rights

Email:
Online: Through your account settings
Post: See our contact page

What We Need

Proof of identity
Specific right you wish to exercise
Relevant details to locate your data

Response Time

Standard requests: Within one month
Complex requests: Up to three months (with notification)
Excessive requests: May charge fee or refuse

GDPR Compliance Program

Our ongoing compliance efforts include:

Regular privacy audits
Staff training programs
Policy reviews and updates
Vendor assessments
Technology improvements
Compliance monitoring

Updates to This Statement

We review and update this GDPR statement regularly to ensure ongoing compliance. Check back periodically for updates.

Contact Us

For GDPR-related inquiries:

Email:

Response time: We aim to respond within 48 hours

This statement demonstrates our commitment to GDPR compliance and protecting your personal data rights.