GDPR Compliance

Our Commitment to Data Protection

At glow-vent, we take your data protection rights seriously. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we fulfil our obligations and respect your rights under these regulations.

Data Controller Information

For the purposes of UK data protection legislation, glow-vent is the data controller responsible for your personal information.

Contact Details:
Email: [email protected]
Address: 42 Western Road, Brighton, East Sussex, BN1 2EB, United Kingdom

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so under UK GDPR. The lawful bases we rely on include:

Contract Performance

Processing your data is necessary to perform our contract with you for financial advisory services. This includes collecting financial information, conducting analysis, making recommendations, and implementing agreed strategies.

Legal Obligation

As a regulated financial services firm, we are required by law to process certain personal data. This includes anti-money laundering checks, regulatory reporting to the Financial Conduct Authority, maintaining client records for specified periods, and tax-related obligations.

Legitimate Interests

We may process data where necessary for legitimate interests pursued by us or third parties, provided your fundamental rights do not override these interests. This includes preventing fraud, ensuring network security, improving our services, and managing business operations. We conduct balancing assessments to ensure processing is fair and proportionate.

Consent

For certain processing activities, particularly marketing communications and some cookies, we rely on your explicit consent. You can withdraw consent at any time by contacting us.

Your Rights Under UK GDPR

You have comprehensive rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request access to your personal data, commonly known as a "subject access request." We will provide a copy of the information we hold about you, details of processing purposes, categories of data, recipients of data, retention periods, and information about your rights.

We respond to subject access requests within one month, though this may be extended by two further months for complex requests. There is no charge for most requests, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

Right to Rectification

If you believe personal data we hold about you is inaccurate or incomplete, you can request correction. We will rectify inaccurate data without undue delay and notify any third parties to whom the data was disclosed, unless this proves impossible or involves disproportionate effort.

Right to Erasure (Right to Be Forgotten)

In certain circumstances, you can request deletion of your personal data. This right applies when data is no longer necessary for its original purpose, you withdraw consent, you object to processing and there are no overriding legitimate grounds, data was unlawfully processed, or deletion is required for legal compliance.

However, this right is not absolute. We may retain data where necessary for legal compliance (particularly FCA regulatory requirements), establishing or defending legal claims, or fulfilling other legal obligations. Financial services regulations typically require us to maintain client records for at least six years.

Right to Restrict Processing

You can request restriction of processing in specific situations: while we verify data accuracy following your challenge, where processing is unlawful but you prefer restriction to erasure, where we no longer need the data but you require it for legal claims, or while we verify legitimate grounds following your objection to processing.

Right to Data Portability

For data you have provided to us where processing is based on consent or contract performance and is carried out by automated means, you can request that data in a structured, commonly used, machine-readable format. You can also request direct transmission to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will stop processing immediately upon objection. For other processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for legal claims.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not generally make purely automated decisions about clients. Where automated processing assists our decision-making, human review and intervention are involved.

How to Exercise Your Rights

To exercise any of these rights, please contact us by email at [email protected] or in writing to our office address. Please provide sufficient information to allow us to verify your identity and locate your data. This typically requires your name, email address, and any reference numbers associated with our services.

We will respond to requests within one month. For complex requests, we may extend this by up to two additional months, in which case we will inform you of the extension and reasons within the initial one-month period.

Data Protection Principles

We process personal data in accordance with the following principles enshrined in UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We clearly explain our processing activities and provide accessible information about data use.

Purpose Limitation

We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimisation

We only collect and process data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by legal obligations. Client records are typically retained for at least six years following the end of the relationship, as required by financial services regulations.

Integrity and Confidentiality

We process data securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We take responsibility for our compliance with data protection principles and can demonstrate our compliance through appropriate documentation, policies, and procedures.

Data Security Measures

We implement robust technical and organisational measures to ensure data security appropriate to the risks:

Technical Measures: Encryption of data in transit and at rest, secure authentication and access controls, regular security testing and vulnerability assessments, firewalls and intrusion detection systems, and secure backup procedures.

Organisational Measures: Staff training on data protection, confidentiality obligations for all personnel, data protection policies and procedures, incident response plans, and regular review of security measures.

Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office within 72 hours of becoming aware of the breach where required by law.

Breach notifications will include the nature of the breach, likely consequences, measures taken to address the breach, and recommended actions you can take to protect yourself.

Third-Party Processing

Where we engage third-party processors to handle personal data on our behalf, we ensure appropriate safeguards through written contracts that require processors to implement appropriate security measures, process data only on our documented instructions, maintain confidentiality, assist with data subject rights requests, and notify us of any data breaches.

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as adequacy decisions recognising equivalent data protection standards or standard contractual clauses approved for data transfers.

Children's Data

Our services are not directed at children under 18. We do not knowingly process personal data of children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you can raise concerns with us directly. We will investigate and respond to your complaint.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Updates to This Information

We may update this GDPR information periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website with a revised date. We encourage you to review this information regularly.

Further Information

For more detailed information about our data processing practices, please see our Privacy Policy. If you have questions about GDPR compliance or your data protection rights, please contact us at [email protected].