GDPR Information

Your data protection rights under UK GDPR and how we uphold them.

Last updated: January 2024

The UK General Data Protection Regulation (UK GDPR), retained from EU law following Brexit, along with the Data Protection Act 2018, governs how organisations handle personal data in the United Kingdom. This page explains how we comply with these regulations and what rights they afford you.

Our Commitment to Data Protection

At shrouded-frost, data protection is fundamental to how we operate. Given the sensitive nature of financial information, we maintain rigorous standards for collecting, storing, and processing personal data. Our approach is built on the key principles of UK GDPR:

  • Lawfulness, fairness, and transparency: We process data only for legitimate purposes and are clear about how we use it
  • Purpose limitation: Data is collected for specified purposes and not used incompatibly
  • Data minimisation: We collect only what is necessary for our services
  • Accuracy: We take steps to keep personal data accurate and current
  • Storage limitation: Data is kept only as long as necessary
  • Integrity and confidentiality: Appropriate security measures protect your information
  • Accountability: We maintain records demonstrating compliance

Data Controller Information

Pemberton Financial Consultancy Ltd (trading as shrouded-frost) is the data controller responsible for your personal information.

Contact details:
Email: [email protected]
Address: 47 Pemberton House, Victoria Street, London SW1E 5NE

Your Rights Under UK GDPR

The regulation provides you with several important rights regarding your personal data:

Right to Be Informed

You have the right to know how we collect and use your personal data. This page, along with our Privacy Policy, fulfils this requirement by explaining our data practices in clear language.

Right of Access

You can request a copy of all personal data we hold about you. This is commonly called a Subject Access Request (SAR). We will respond within one month and provide the information free of charge in most circumstances.

Right to Rectification

If any personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We will make corrections within one month of your request and notify any third parties with whom we have shared the data.

Right to Erasure

Also known as the 'right to be forgotten', you can request deletion of your personal data in certain circumstances, including:

  • When the data is no longer necessary for its original purpose
  • When you withdraw consent (where consent was the basis for processing)
  • When you object to processing and there are no overriding legitimate grounds
  • When data has been processed unlawfully

Note that we may need to retain some information for legal or regulatory compliance.

Right to Restrict Processing

You can request that we limit how we use your data while concerns are being addressed, such as when you are contesting accuracy or have objected to processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a commonly used, machine-readable format for transfer to another organisation.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making in our services.

Legal Bases for Processing

Under UK GDPR, we must have a valid legal basis for processing your personal data. Depending on the context, we rely on:

Contractual Necessity

Processing is necessary to provide our financial consultancy services. This includes collecting your financial information to develop strategies and recommendations tailored to your circumstances.

Legitimate Interests

Processing is necessary for our legitimate business interests, provided these do not override your rights. Examples include improving our services, ensuring security, and administrative purposes. We conduct assessments to balance our interests against potential impact on you.

Legal Obligation

Processing is necessary to comply with laws and regulations, such as anti-money laundering requirements, tax obligations, and professional standards.

Consent

For certain processing activities, particularly marketing communications and non-essential cookies, we obtain your explicit consent. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Special Category Data

UK GDPR provides additional protection for sensitive personal data. In our context, this might occasionally include health information relevant to your financial planning (such as planning around a medical condition). We process such data only when necessary and with your explicit consent.

Data Protection Impact Assessments

For processing activities likely to result in high risk to individuals, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks before processing begins.

Data Breaches

We have procedures in place to detect, report, and investigate personal data breaches. Where a breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay, as well as reporting to the Information Commissioner's Office within 72 hours where required.

International Data Transfers

Following Brexit, the UK is considered to have adequate data protection standards by the EU, and vice versa. For transfers to other countries, we ensure appropriate safeguards such as standard contractual clauses are in place.

Exercising Your Rights

To exercise any of your rights under UK GDPR, contact us at:

Email: [email protected]
Address: 47 Pemberton House, Victoria Street, London SW1E 5NE

Please provide sufficient information to verify your identity and specify which right you wish to exercise. We will respond within one month. In complex cases, we may extend this by two months, but will inform you within the first month.

Supervisory Authority

If you are dissatisfied with how we handle your data or believe we have not complied with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so we can attempt to resolve your concerns directly.

Updates to This Information

We review and update this GDPR information periodically to reflect changes in our practices or legal requirements. Material changes will be communicated to active clients directly.