GDPR Compliance

Your data protection rights under UK law

Our Commitment to Data Protection

Brightcliff Habitat Ltd is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting personal data and have implemented comprehensive measures to ensure compliance with data protection principles.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

Brightcliff Habitat Ltd
42 Meadowbrook Lane
Thornbury, South Gloucestershire
BS35 2PA
Email: [email protected]

Data Protection Principles

We adhere to the core principles of UK GDPR in all our data processing activities:

  • Lawfulness, fairness, and transparency: We process data lawfully and openly, ensuring you understand how your information is used
  • Purpose limitation: We collect data only for specified, explicit, and legitimate purposes
  • Data minimisation: We collect only the data necessary for the intended purpose
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
  • Storage limitation: We retain data only for as long as necessary
  • Integrity and confidentiality: We process data securely using appropriate technical and organisational measures
  • Accountability: We demonstrate compliance through documentation and records

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. We are committed to upholding these rights.

Right of Access

You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about how it is processed. This is commonly known as a Subject Access Request (SAR).

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will make corrections without undue delay.

Right to Erasure

In certain circumstances, you may request the deletion of your personal data. This right applies when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and no other legal basis exists for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for legal compliance

Right to Restriction of Processing

You may request restriction of processing in certain situations, such as when you contest the accuracy of data or object to processing pending verification of legitimate grounds.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at [email protected]. Please provide sufficient information to verify your identity and specify which right you wish to exercise.

We will respond to your request within one month of receipt. If your request is complex or we receive numerous requests, we may extend this period by a further two months, but we will inform you of any extension within the initial month.

There is no fee for exercising your rights in most circumstances. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests.

Legal Bases for Processing

We process personal data under the following legal bases:

  • Performance of contract: Processing necessary to deliver services you have requested
  • Legitimate interests: Processing necessary for our business operations where this does not override your fundamental rights
  • Legal obligation: Processing required to comply with UK law
  • Consent: Processing for which you have given clear, informed consent

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office or transfers to countries with adequacy decisions.

Data Breach Procedures

We have procedures in place to detect, investigate, and report personal data breaches. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and inform the Information Commissioner's Office within 72 hours where required.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments when processing is likely to result in high risk to individuals, particularly when using new technologies or processing sensitive data at scale.

Records of Processing Activities

We maintain records of our processing activities as required under Article 30 of UK GDPR. These records include purposes of processing, categories of data subjects and personal data, recipients, retention periods, and security measures.

Training and Awareness

All staff members receive training on data protection principles and their responsibilities under UK GDPR. We maintain awareness through regular updates and refresher training.

Complaints

If you are dissatisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first if possible.

Updates to This Notice

We review this GDPR compliance notice periodically and may update it to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.

Contact

For any questions regarding this notice or our data protection practices, please contact us at [email protected].