GDPR Compliance

Our commitment to data protection and your privacy rights.

Last updated: January 2024

Our Commitment to GDPR

steady-return Advisory Services Ltd is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting personal data and respecting the privacy rights of all individuals who interact with our services.

This page provides specific information about how we fulfil our obligations under data protection legislation and how you can exercise your rights.

Data Controller Information

For the purposes of data protection law, the data controller is:

steady-return Advisory Services Ltd
Company Number: 08234567
47 Clerkenwell Road
London EC1M 5RS
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We only process personal data when we have a lawful basis to do so. The specific legal grounds we rely on include:

Contract Performance

When you engage our advisory services, we process your personal data to fulfil our contractual obligations. This includes using your contact information to communicate with you, your professional background to inform our recommendations, and payment details to process transactions.

Legitimate Interests

We may process data based on our legitimate business interests, provided these do not override your fundamental rights. Examples include:

  • Improving our services based on how clients engage with us
  • Maintaining records of past consultations to provide consistent service
  • Analysing website usage to enhance user experience
  • Protecting our business against fraud or legal claims

Legal Obligations

Certain processing activities are required by law, such as maintaining financial records for tax compliance and responding to valid legal requests.

Consent

Where processing is not covered by another lawful basis, we will seek your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Your Data Protection Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You may request confirmation of whether we process your personal data and, if so, receive a copy of that data along with information about how it is processed. This is commonly known as a Subject Access Request (SAR). We will respond within one month of receiving your request.

Right to Rectification (Article 16)

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will address rectification requests promptly.

Right to Erasure (Article 17)

In certain circumstances, you may request that we delete your personal data. This right applies when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note that this right may be limited where we need to retain data for legal obligations or legal claims.

Right to Restriction (Article 18)

You may request that we limit how we use your data while we address a concern you have raised, such as verifying accuracy or considering an objection.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used format or have it transmitted directly to another controller.

Right to Object (Article 21)

You may object to processing based on legitimate interests, and we will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing.

Rights Related to Automated Decision-Making (Article 22)

We do not currently make decisions based solely on automated processing that significantly affect you. If this changes, we will inform you and provide appropriate safeguards.

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] with:

  • Your name and contact details
  • A clear description of the right you wish to exercise
  • Any information that will help us locate your data

We may request proof of identity before actioning your request. We aim to respond within one month, though complex requests may take up to three months with prior notification.

Data Protection Principles

Our data processing adheres to the principles set out in Article 5 of the UK GDPR:

  • Lawfulness, fairness, and transparency: We process data legally and openly
  • Purpose limitation: Data is collected for specified, explicit purposes and not used incompatibly
  • Data minimisation: We collect only what is necessary for our purposes
  • Accuracy: We take reasonable steps to ensure data is accurate and current
  • Storage limitation: Data is kept only as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures
  • Accountability: We maintain records demonstrating compliance

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security assessments and updates
  • Staff training on data protection practices
  • Secure disposal of data no longer required

Data Breach Procedures

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

International Data Transfers

We primarily store and process data within the United Kingdom. If data is transferred outside the UK, we ensure adequate safeguards are in place, such as:

  • Transfers to countries with adequacy decisions
  • Standard contractual clauses approved by the UK ICO
  • Other appropriate safeguards as permitted by law

Record Keeping

As required under Article 30 of the UK GDPR, we maintain records of our processing activities. These records document the categories of data processed, purposes, recipients, retention periods, and security measures.

Data Protection Impact Assessments

For processing activities likely to result in high risk to individuals, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks before processing begins.

Children's Data

Our services are directed at adults. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected such data, we will delete it promptly.

Third-Party Processors

Where we engage third parties to process data on our behalf, we ensure they provide sufficient guarantees of compliance through data processing agreements that meet Article 28 requirements.

Supervisory Authority

If you are dissatisfied with how we handle your data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns directly before you escalate to the ICO.

Policy Updates

This GDPR compliance information may be updated periodically to reflect changes in our practices or legal requirements. Material changes will be communicated through our website.

Contact

For any questions regarding our GDPR compliance or data protection practices, please contact us at [email protected].