GDPR Compliance

Last updated: January 2024

Our Commitment to Data Protection

quietus-archive Ltd takes data protection seriously. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations and explains your rights in straightforward terms.

Who We Are

For the purposes of data protection legislation, quietus-archive Ltd is the data controller. This means we determine how and why your personal data is processed.

Company: quietus-archive Ltd
Registration: 08247591 (England and Wales)
ICO Registration: ZA847291
Address: Unit 14, Arkwright House, Parsonage Gardens, Manchester M3 2LF

Data Protection Principles

We adhere to the core principles of data protection law. Personal data we process is:

• Processed lawfully, fairly and transparently: We are clear about what data we collect and why
• Collected for specified purposes: We only use data for the purposes we have stated
• Adequate, relevant and limited: We collect only what is necessary for our services
• Accurate and kept up to date: We take steps to correct inaccurate data
• Kept no longer than necessary: We have retention policies and delete data when no longer needed
• Processed securely: We implement appropriate technical and organisational measures

Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

Contractual Necessity

When you engage our services, we need to process certain personal data to fulfil our contractual obligations. This includes your contact details, property information, and assessment data required to deliver the service you have requested.

Legitimate Interests

We may process data where we have a legitimate business interest, provided this does not override your rights. Examples include:

• Improving our services based on how clients interact with us
• Maintaining records for quality assurance purposes
• Protecting our business against fraud or legal claims

We conduct a balancing test before relying on legitimate interests to ensure your rights are not adversely affected.

Legal Obligation

Some data processing is required by law. This includes maintaining financial records for HMRC, complying with TrustMark scheme requirements, and responding to lawful requests from authorities.

Consent

Where no other lawful basis applies, we seek your explicit consent before processing. This primarily relates to marketing communications and cookies. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

Your Individual Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Subject Access Request)

You can request a copy of all personal data we hold about you. We will respond within one month and provide the information in a commonly used electronic format. There is no charge for this unless the request is manifestly unfounded or excessive.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can request correction. We will make amendments within one month and inform any third parties who have received the data.

Right to Erasure

You can request deletion of your personal data in certain circumstances, including:

• When the data is no longer necessary for the purpose it was collected
• When you withdraw consent (and consent was the lawful basis)
• When you successfully object to processing
• When the data has been unlawfully processed

This right does not apply where processing is necessary for legal obligations, legal claims, or public interest reasons.

Right to Restriction of Processing

You can request that we limit how we use your data while issues are resolved. This applies when you contest accuracy, when processing is unlawful but you prefer restriction to erasure, when we no longer need the data but you require it for legal claims, or while we consider an objection.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format and have it transmitted to another organisation.

Right to Object

You can object to processing based on legitimate interests. We must stop processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to direct marketing at any time.

Rights Related to Automated Decision-Making

We do not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects. All significant decisions involve human review.

Exercising Your Rights

To exercise any data protection right, contact us by email at [email protected] with "Data Protection Request" in the subject line. Please provide sufficient information to verify your identity and specify which right you wish to exercise.

We aim to respond to all requests within one month. If a request is complex or we receive a high volume of requests, we may extend this by a further two months and will inform you if this is necessary.

Data Processors

We use carefully selected third-party service providers to assist with our operations. When these providers process personal data on our behalf, they act as data processors under our instruction. We ensure appropriate contracts are in place requiring them to:

• Process data only on our documented instructions
• Ensure confidentiality of personnel handling data
• Implement appropriate security measures
• Not engage sub-processors without our authorisation
• Assist us in responding to data subject requests
• Delete or return data at the end of the service relationship

International Data Transfers

Your personal data is primarily processed within the United Kingdom. Where we transfer data internationally, we ensure that adequate safeguards are in place. This may include:

• Transfers to countries with adequacy decisions
• Standard contractual clauses approved by the ICO
• Binding corporate rules where applicable

Data Breach Procedures

We have procedures in place to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals without undue delay. Reportable breaches are notified to the ICO within 72 hours of becoming aware of them.

Record Keeping

We maintain records of processing activities as required by Article 30 of UK GDPR. These records document the categories of data processed, purposes, recipients, retention periods, and security measures.

Data Protection Impact Assessments

Before implementing new processing activities that may present high risks to individuals, we conduct Data Protection Impact Assessments to identify and mitigate risks.

Staff Training

All staff with access to personal data receive data protection training appropriate to their role. This training is refreshed annually and supplemented when procedures change.

Complaints

If you have concerns about how we handle your personal data, please contact us in the first instance. We take all complaints seriously and will investigate thoroughly.

If you remain unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We review our data protection practices regularly and may update this page to reflect changes. Where significant changes occur, we will take appropriate steps to inform you.