GDPR Information
Understanding your data protection rights under UK GDPR
Last updated: January 2024
Our Commitment to Data Protection
frosty-lark is committed to ensuring that your personal data is processed in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we fulfil our obligations and how you can exercise your rights.
Data Controller
frosty-lark acts as the data controller for personal information collected through this website and our consultancy services. This means we determine the purposes and means of processing your personal data.
Contact details:
frosty-lark
14 Queen Square
Bristol, BS1 4NT
United Kingdom
Email: [email protected]
Lawful Bases for Processing
We process personal data only when we have a valid lawful basis. The lawful bases we rely on are:
Consent
Where you have given clear consent for us to process your personal data for a specific purpose, such as receiving marketing communications or allowing non-essential cookies.
Contract
Where processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract. This applies when you engage our consultancy services.
Legitimate Interests
Where processing is necessary for our legitimate interests or those of a third party, provided these interests do not override your fundamental rights. This may include improving our services, maintaining security, and responding to enquiries.
Legal Obligation
Where processing is necessary for us to comply with legal requirements, such as tax reporting or responding to lawful requests from authorities.
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right to Be Informed
You have the right to receive clear information about how we collect and use your personal data. This is provided through this page and our Privacy Policy.
Right of Access
You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month of receiving your request.
Right to Rectification
You have the right to request correction of inaccurate personal data or completion of incomplete data. We will respond within one month.
Right to Erasure
You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose or when you withdraw consent.
Right to Restrict Processing
You have the right to request that we limit how we use your personal data in certain circumstances, such as while we verify the accuracy of data you have challenged.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
Rights Related to Automated Decision-Making
You have rights regarding automated decision-making and profiling. We do not currently use automated decision-making that produces legal or similarly significant effects.
Exercising Your Rights
To exercise any of these rights, please contact us at:
Email: [email protected]
We will respond to your request within one month. In complex cases or where we receive numerous requests, we may extend this period by up to two further months, but we will inform you of any extension within the first month.
We do not charge a fee for processing most requests. However, if your request is clearly unfounded, repetitive, or excessive, we may charge a reasonable fee or refuse to act on the request.
Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing your personal data. These measures include:
- Encryption of data in transit using SSL/TLS
- Secure server infrastructure with regular security updates
- Access controls limiting data access to authorised personnel
- Regular security assessments and staff training
- Incident response procedures for data breaches
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights, we will also notify you directly.
International Transfers
We primarily process and store your data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office.
Data Protection Officer
Given the nature and scale of our processing activities, we are not required to appoint a Data Protection Officer. However, all data protection matters are overseen by our management team. For any data protection queries, please contact us using the details above.
Complaints
If you are dissatisfied with how we have handled your personal data or any request you have made, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: ico.org.uk
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
Updates to This Information
We may update this GDPR information from time to time to reflect changes in our practices or legal requirements. We encourage you to review this page periodically.