GDPR Compliance

Our Commitment to GDPR

Sparkling Flute is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the protection of your personal data seriously and have implemented comprehensive measures to ensure your rights are respected.

Data Controller Information

For the purposes of the UK GDPR, the data controller is:

Sparkling Flute
42 Renewable Way
Manchester, M1 4EG
United Kingdom
Email: [email protected]

Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights concerning your personal data:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, access to that data along with information about how it is processed. You may request a copy of your personal data free of charge.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected without undue delay. You also have the right to have incomplete personal data completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you may request the deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.

Right to Restriction of Processing (Article 18)

You have the right to restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us at [email protected]. We will respond to your request within one month of receipt. In complex cases or where we receive numerous requests, we may extend this period by two additional months, in which case we will inform you accordingly.

We may request specific information from you to confirm your identity before processing your request. This is a security measure to ensure personal data is not disclosed to unauthorised persons.

Data Processing Activities

We process personal data for the following purposes:

• Service delivery: To provide energy consulting and sustainability services
• Communication: To respond to enquiries and provide information about our services
• Website analytics: To understand how visitors use our website and improve user experience
• Legal compliance: To meet our legal and regulatory obligations

Legal Bases for Processing

We rely on the following legal bases under Article 6 of the UK GDPR:

• Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose
• Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract or to take steps prior to entering into a contract
• Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests, provided these are not overridden by your interests, rights, or freedoms

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our standard retention periods are:

• Enquiry data: 3 years from last contact
• Client project data: 7 years from project completion (for legal and professional requirements)
• Website analytics: 26 months

Data Security Measures

We have implemented appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls limiting data access to authorised personnel
• Regular security assessments and updates
• Staff training on data protection
• Incident response procedures

International Data Transfers

Where we transfer personal data outside the UK, we ensure adequate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner's Office.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours. Where the breach poses a high risk, we will also notify affected individuals directly.

Complaints

If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

Updates to This Notice

We may update this GDPR compliance notice from time to time. The current version will always be available on our website with the date of last revision.

Last updated: January 2024