GDPR Compliance

Our commitment to data protection and your rights

Last updated: January 2024

Our Commitment to GDPR

KentshiremBritAi Ltd is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting personal data and have implemented comprehensive measures to ensure compliance with data protection principles.

This page provides detailed information about how we meet our obligations under data protection law and how you can exercise your rights as a data subject.

Data Controller Information

KentshiremBritAi Ltd is the data controller responsible for your personal information. Our contact details are:

KentshiremBritAi Ltd
47 Pembroke Road
Maidstone, Kent ME15 6NQ
Email: [email protected]

Data Protection Principles

We adhere to the core principles set out in data protection legislation:

Lawfulness, Fairness, and Transparency

We process personal data lawfully and fairly. We are transparent about what information we collect, why we collect it, and how we use it. Our Privacy Policy explains these matters in detail.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process data in ways that are incompatible with those purposes without informing you and, where required, obtaining your consent.

Data Minimisation

We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes we have identified. We regularly review the data we hold to ensure we are not retaining more than we need.

Accuracy

We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. We have procedures in place to rectify inaccurate data without undue delay when we become aware of errors.

Storage Limitation

We keep personal data in a form that permits identification only for as long as necessary for the purposes for which we process it. Our retention schedules are reviewed regularly to ensure compliance.

Integrity and Confidentiality

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Accountability

We take responsibility for what we do with personal data and how we comply with the other principles. We maintain records of our processing activities and can demonstrate compliance when required.

Lawful Bases for Processing

We only process personal data when we have a valid lawful basis. The bases we rely upon include:

Contractual Necessity

We process personal data when it is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes processing to provide our financial guidance services.

Legitimate Interests

We may process data based on our legitimate business interests, provided these do not override your fundamental rights and freedoms. Examples include:

  • Improving our services based on client feedback and usage patterns
  • Maintaining security and preventing fraud
  • Administrative purposes and record keeping

We conduct balancing tests to ensure our interests do not unfairly impact your rights.

Legal Obligations

We process personal data when necessary to comply with legal obligations, such as tax reporting requirements, anti-money laundering regulations, and responding to valid legal requests.

Consent

Where we rely on consent as the lawful basis, we ensure it is freely given, specific, informed, and unambiguous. You may withdraw consent at any time, and doing so will not affect the lawfulness of processing carried out before withdrawal.

Your Rights Under GDPR

As a data subject, you have the following rights under UK GDPR:

Right to Be Informed

You have the right to know how your personal data is being used. Our Privacy Policy and this GDPR page provide this information. We also provide specific privacy notices when collecting data in particular circumstances.

Right of Access

You can request a copy of the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will respond within one month and provide the information free of charge in most circumstances.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We aim to rectify data within one month of receiving a valid request.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • When the data is no longer necessary for its original purpose
  • When you withdraw consent (where consent is the lawful basis)
  • When you object to processing and there are no overriding legitimate grounds
  • When data has been unlawfully processed

Note that this right is not absolute. We may need to retain certain data for legal or contractual reasons.

Right to Restrict Processing

You can request that we limit how we use your data while certain issues are resolved, such as when you contest accuracy or have objected to processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will stop processing immediately upon objection. For legitimate interests, we will cease unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making

You have rights concerning decisions made solely by automated means that produce legal effects or similarly significant impacts. We do not currently make such decisions, but if this changes, we will inform you and ensure appropriate safeguards.

Exercising Your Rights

To exercise any of your rights, please contact us at [email protected]. We will:

  • Verify your identity before proceeding
  • Respond within one month (this may be extended by two months for complex requests)
  • Inform you if we cannot comply and explain our reasons
  • Not charge a fee except in cases of manifestly unfounded or excessive requests

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when introducing new processing activities that are likely to result in high risk to individuals' rights and freedoms. This helps us identify and minimise data protection risks.

Data Breach Procedures

We have procedures to detect, investigate, and report personal data breaches. Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected persons without undue delay. Breaches meeting the threshold for notification to the supervisory authority will be reported to the ICO within 72 hours.

International Data Transfers

If we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place. This may include:

  • Transfers to countries with adequacy decisions
  • Use of standard contractual clauses approved by the relevant authority
  • Other appropriate safeguards as permitted by law

Third-Party Processors

When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees regarding data protection. We enter into data processing agreements that require them to:

  • Process data only on our documented instructions
  • Ensure confidentiality of processing
  • Implement appropriate security measures
  • Assist us in responding to data subject requests
  • Delete or return data at the end of the service

Staff Training

All staff who handle personal data receive training on data protection principles and their responsibilities. Training is updated regularly to reflect changes in law and best practice.

Record Keeping

We maintain records of our processing activities as required by Article 30 of UK GDPR. These records include:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Security measures

Supervisory Authority

The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office (ICO). If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

We encourage you to contact us first so we have the opportunity to address your concerns directly.

Updates to This Information

We review our data protection practices regularly and may update this page to reflect changes. The "last updated" date at the top indicates when the most recent revision was made.

Contact

For any questions about our GDPR compliance or data protection practices, please contact:

Email: [email protected]