GDPR Compliance

Home / GDPR

Last updated: January 2024

joyful-vault Ltd is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines our approach to data protection and your rights as a data subject.

Our Commitment to Data Protection

We recognise the importance of protecting personal information and maintaining the trust of those we work with. Our data protection practices are built on the following principles:

  • We process personal data lawfully, fairly, and transparently
  • We collect data only for specified, explicit, and legitimate purposes
  • We minimise data collection to what is necessary for the intended purpose
  • We take reasonable steps to ensure data accuracy
  • We retain data only for as long as necessary
  • We implement appropriate security measures to protect personal data

Data Controller Information

For the purposes of the UK GDPR, the data controller is:

joyful-vault Ltd
Chancery House
53 King Street
Manchester, M2 4LQ
United Kingdom

Data protection enquiries: [email protected]

Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

Consent

Where you have provided clear, affirmative consent for us to process your personal data for specific purposes. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Contractual Necessity

Where processing is necessary to perform a contract with you, or to take steps at your request before entering into a contract. This includes processing necessary to deliver our consulting services.

Legitimate Interests

Where processing is necessary for our legitimate business interests, provided those interests do not override your fundamental rights and freedoms. Examples include:

  • Responding to enquiries about our services
  • Maintaining records of our business activities
  • Improving our website and services based on usage patterns
  • Protecting our business against fraud and other risks

Legal Obligation

Where processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting requirements or responding to lawful requests from authorities.

Your Data Protection Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to be informed about how we collect and use your personal data. This is achieved through our Privacy Policy and this GDPR notice.

Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond to valid requests within one month and provide the information free of charge in most circumstances.

Right to Rectification

You have the right to request that we correct inaccurate personal data or complete incomplete data. We will respond within one month of receiving your request.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose or where you withdraw consent.

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain circumstances, for example while we verify the accuracy of data you have challenged.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making that would trigger these rights.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We aim to respond to all legitimate requests within one month, though we may extend this period by a further two months for complex requests, in which case we will inform you.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data where appropriate
  • Access controls limiting who can view personal data
  • Regular security assessments and testing
  • Staff training on data protection obligations
  • Incident response procedures for potential data breaches
  • Secure disposal of data when no longer needed

International Data Transfers

When we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place. These may include:

  • Transfers to countries with adequacy decisions from the UK government
  • Use of standard contractual clauses approved by the Information Commissioner
  • Other legally recognised transfer mechanisms

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, taking into account legal, regulatory, and operational requirements. Our retention periods are documented in our data retention policy and summarised in our Privacy Policy.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will also notify those affected directly.

Third-Party Processors

Where we engage third parties to process personal data on our behalf, we ensure appropriate contracts are in place requiring them to:

  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Assist us in meeting our data protection obligations
  • Delete or return data at the end of the relationship
  • Allow for audits and inspections

Complaints

If you believe we have not handled your personal data properly, we encourage you to contact us first so we can address your concerns. You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow, SK9 5AF
United Kingdom
Telephone: 0303 123 1113

Updates to This Notice

We may update this GDPR notice periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.