GDPR Compliance
How we protect your data rights under the UK General Data Protection Regulation.
Last updated: January 2024
haunted-spire Retirement Services Ltd is committed to protecting your personal data and respecting your privacy rights in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page provides specific information about your rights under data protection law and how we ensure compliance with these requirements.
Data Controller
haunted-spire Retirement Services Ltd is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal information.
Contact details:
haunted-spire Retirement Services Ltd
47 Wellington Street
Bristol BS1 4QH
United Kingdom
Email: [email protected]
Your Rights Under UK GDPR
Data protection law gives you specific rights regarding your personal information. We are committed to respecting these rights and making it easy for you to exercise them.
Right to Be Informed
You have the right to be told how your personal data will be used. This information is provided through our Privacy Policy and this GDPR page, as well as in any specific communications or agreements related to our services.
Right of Access
You have the right to request a copy of the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of receiving your request, unless the request is manifestly unfounded or excessive.
Right to Rectification
You have the right to request that inaccurate personal data be corrected, or that incomplete data be completed. We aim to address rectification requests within one month.
Right to Erasure
Also known as the "right to be forgotten", you may request the deletion of your personal data in certain circumstances, including:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
This right is not absolute and may be subject to legal obligations requiring us to retain certain information.
Right to Restrict Processing
You have the right to request that we limit how we use your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.
Right to Data Portability
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights Related to Automated Decision Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in fully automated decision-making of this nature.
Lawful Basis for Processing
We only process personal data when we have a lawful basis to do so. The bases we rely on include:
Contract
Processing is necessary for the performance of a contract with you or to take steps at your request prior to entering a contract. This applies when you engage our retirement planning services.
Legitimate Interests
Processing is necessary for our legitimate interests or those of a third party, provided these are not overridden by your rights and interests. For example, we may process data to improve our services or for administrative purposes.
Consent
Where we rely on consent as the lawful basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Legal Obligation
Processing may be necessary to comply with legal or regulatory requirements, such as maintaining records for tax purposes or responding to legal proceedings.
Data Protection Principles
We adhere to the data protection principles set out in UK GDPR:
- Lawfulness, fairness, and transparency: We process data lawfully and are transparent about how we use it
- Purpose limitation: We collect data for specified, explicit, and legitimate purposes
- Data minimisation: We only collect data that is adequate, relevant, and limited to what is necessary
- Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
- Storage limitation: We retain data only for as long as necessary for the purposes for which it was collected
- Integrity and confidentiality: We implement appropriate security measures to protect personal data
- Accountability: We take responsibility for compliance and can demonstrate it
Data Security Measures
We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data where appropriate
- Access controls limiting who can view personal data
- Regular testing and evaluation of security measures
- Procedures for handling potential data breaches
- Staff training on data protection
International Data Transfers
We primarily store and process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses approved by the relevant authorities.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are based on:
- The nature of the services provided
- Legal and regulatory requirements
- Legitimate business purposes
- Contractual obligations
Client records are typically retained for seven years following the end of our engagement, in line with regulatory expectations and limitation periods for potential claims.
Data Breach Procedures
We have procedures in place to detect, report, and investigate personal data breaches. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and inform the Information Commissioner's Office as required by law.
Exercising Your Rights
To exercise any of your data protection rights, please contact us using the details below. We may need to verify your identity before processing your request.
We aim to respond to all legitimate requests within one month. If your request is particularly complex or you have made multiple requests, we may extend this period by a further two months, in which case we will inform you of this extension and the reasons for it.
Complaints
If you are not satisfied with how we handle your personal data or your data protection request, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk
We would appreciate the opportunity to address your concerns before you contact the ICO, so please consider reaching out to us first.
Contact Us
For any questions about this GDPR compliance statement or to exercise your data protection rights, please contact:
haunted-spire Retirement Services Ltd
47 Wellington Street
Bristol BS1 4QH
United Kingdom
Email: [email protected]
Updates
We may update this GDPR compliance statement from time to time. The date at the top of this page indicates when it was last revised. We encourage you to review this page periodically for any changes.