GDPR Compliance

Our GDPR Commitment

Brightmelt Habitat Limited is fully committed to compliance with the UK General Data Protection Regulation and Data Protection Act 2018. We recognise that trust forms the foundation of our client relationships, and protecting your personal information is fundamental to maintaining that trust.

This document explains our GDPR compliance measures, your rights under data protection law, and how we ensure your information receives appropriate protection throughout our relationship.

Data Controller Information

Brightmelt Habitat Limited acts as the data controller for personal information we collect and process. This means we determine the purposes and means of processing your data.

Data Controller: Brightmelt Habitat Limited
Registration: ICO Registration Number ZA473829
Address: 42 Threadneedle Street, London EC2R 8AY
Contact: [email protected]

We have appointed a Data Protection Officer responsible for overseeing our compliance with data protection legislation and serving as your point of contact for data protection queries.

Lawful Basis for Processing

We process personal data only when we have a lawful basis under GDPR. The specific basis depends on why we're processing your information.

Contract performance covers processing necessary to provide the retirement planning services you've engaged us for. This includes collecting financial information, preparing recommendations, and implementing agreed strategies. We cannot fulfil our contractual obligations without processing this data.

Legal obligation applies when processing is required to meet regulatory requirements imposed by the Financial Conduct Authority, tax authorities, or other regulatory bodies. These obligations exist independently of any consent you might give.

Legitimate interests cover processing that's reasonably expected when engaging a financial adviser and doesn't override your fundamental rights. This includes maintaining client records for quality assurance, defending against potential complaints, and improving our services based on anonymised data analysis.

Explicit consent is obtained for processing special category data, particularly health information used in pension transfer analysis. This consent is freely given, specific, informed, and unambiguous. You can withdraw consent at any time, though this may affect our ability to provide certain services.

Data Protection Principles

We adhere to the core data protection principles established by GDPR in all our processing activities.

Lawfulness, fairness, and transparency guide our processing. We process data lawfully using appropriate legal bases, treat you fairly in all dealings, and maintain transparency about how we use your information.

Purpose limitation means we collect information for specific, explicit purposes and don't subsequently process it in ways incompatible with those purposes. If we identify new uses for your data, we'll inform you and establish an appropriate legal basis.

Data minimisation ensures we collect only information necessary for our stated purposes. We don't request unnecessary details or retain data we no longer need.

Accuracy requires that we keep information up to date and correct errors promptly. We encourage you to inform us of any changes to your circumstances that affect the accuracy of our records.

Storage limitation means we retain data only as long as necessary. Specific retention periods reflect legal requirements and legitimate business needs, after which we securely destroy information.

Integrity and confidentiality obligations require us to implement appropriate security measures protecting against unauthorised access, accidental loss, or destruction. We maintain technical and organisational measures appropriate to the risks involved.

Accountability means we demonstrate compliance with these principles through documented policies, staff training, and regular reviews of our data processing activities.

Your Data Protection Rights

GDPR grants you significant rights regarding your personal information. We respect these rights and have established procedures to facilitate their exercise.

Right of access allows you to obtain confirmation whether we process your data and receive copies of that data. We provide this information free of charge within one month, extending this timeframe only when requests are complex or numerous.

Right to rectification enables you to request correction of inaccurate information or completion of incomplete records. We act promptly on such requests and notify relevant third parties of corrections where appropriate.

Right to erasure, sometimes called the right to be forgotten, permits you to request deletion of your personal data in specific circumstances. However, this right is not absolute. We may be required to retain information to comply with legal obligations or establish, exercise, or defend legal claims.

Right to restrict processing allows you to request that we limit how we use your information in certain situations, such as while we verify data accuracy following a challenge from you.

Right to data portability lets you receive personal data you've provided in a structured, commonly used format and transmit it to another data controller. This applies to data processed based on consent or contract performance.

Right to object enables you to challenge processing based on legitimate interests or for direct marketing purposes. When you object, we must cease processing unless we demonstrate compelling legitimate grounds overriding your interests.

Rights related to automated decision-making protect you from decisions based solely on automated processing that produce legal or similarly significant effects. We don't currently employ such automated decision-making in our advice process.

Exercising Your Rights

To exercise any data protection right, contact our Data Protection Officer at [email protected] or write to the address shown above. Please include sufficient information to identify yourself and specify which right you wish to exercise.

We may need to verify your identity before responding to requests, particularly when providing copies of personal data. This verification protects your information from unauthorised disclosure.

We respond to valid requests within one month. Complex requests may take up to three months, in which case we'll inform you of the delay and explain the reasons.

Most requests are handled free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, particularly repeated requests for the same information.

If you're dissatisfied with how we handle your request, you can complain to the Information Commissioner's Office, the UK's data protection regulator.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Technical measures include encryption of data in transit and at rest, secure password policies, regular security updates, firewall protection, and restricted system access based on role requirements. Our IT infrastructure undergoes regular security assessments.

Organisational measures encompass staff training on data protection obligations, clear data handling procedures, controlled access to client files, secure destruction of obsolete records, and incident response procedures for potential data breaches.

Third-party processors who handle data on our behalf are carefully selected and bound by data processing agreements requiring them to implement equivalent security measures.

We conduct regular reviews of our security measures to ensure they remain appropriate as technology evolves and new risks emerge.

Data Breach Procedures

Despite our security measures, we recognise that breaches can occur. We have established procedures to detect, report, and respond to data breaches appropriately.

Detection involves monitoring systems for unusual activity, staff training to recognise potential breaches, and clear reporting channels for suspected incidents.

Assessment follows detection. We determine what data was affected, how many individuals are impacted, the severity of potential consequences, and what measures can mitigate harm.

Reporting obligations require us to notify the Information Commissioner's Office within seventy-two hours of becoming aware of breaches likely to result in risk to individual rights and freedoms.

Individual notification occurs without undue delay when a breach is likely to result in high risk to your rights and freedoms. We explain the nature of the breach, likely consequences, and measures we're taking to address it.

Remediation involves containing the breach, recovering any compromised data where possible, preventing recurrence, and implementing additional safeguards as needed.

International Data Transfers

We store and process your personal data primarily within the United Kingdom. Any transfers to countries outside the UK occur only with appropriate safeguards in place.

Where we use service providers located outside the UK, we ensure transfers comply with GDPR requirements through adequacy decisions, standard contractual clauses, or other approved transfer mechanisms.

We do not routinely transfer client data internationally and will inform you if your specific circumstances require such transfers.

Children's Data

Our services are designed for adults making retirement planning decisions. We do not knowingly collect or process personal data of individuals under sixteen years of age without appropriate parental consent.

If we become aware that we've collected data from a child without proper consent, we'll take steps to delete that information promptly.

Data Protection Impact Assessments

When introducing new processing activities likely to result in high risk to individual rights and freedoms, we conduct Data Protection Impact Assessments. These assessments identify risks and establish measures to address them before processing begins.

We consult the Information Commissioner's Office when assessments indicate high residual risk that we cannot adequately mitigate.

Staff Training and Awareness

All staff receive data protection training appropriate to their roles. This includes understanding GDPR principles, recognising data subject rights, following security procedures, and knowing when to escalate concerns to our Data Protection Officer.

Training is refreshed annually and updated when regulations change or we identify gaps in knowledge through audits or incidents.

Complaints and Further Information

If you have concerns about our data processing activities or believe we've breached data protection law, please contact our Data Protection Officer initially. We take all complaints seriously and investigate them thoroughly.

You also have the right to lodge complaints directly with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Policy Updates

We review this GDPR compliance statement annually and update it to reflect changes in our practices, services, or legal requirements. Significant changes will be communicated to existing clients.

The most current version is always available on our website. We encourage you to review it periodically to stay informed about how we protect your data.