GDPR Compliance

Our Commitment to GDPR

gentle-mountain is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities regarding the protection of personal data seriously and have implemented appropriate measures to ensure compliance.

Data Controller

For the purposes of UK GDPR, gentle-mountain is the data controller responsible for your personal information. Our contact details are:

gentle-mountain
45 Albemarle Street
Mayfair
London W1S 4JL
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under UK GDPR. The lawful bases we rely on include:

• Consent: You have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications)
• Contract: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract
• Legal Obligation: Processing is necessary to comply with legal requirements
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided these interests do not override your fundamental rights and freedoms

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided in our Privacy Policy.

2. Right of Access

You have the right to request a copy of the personal data we hold about you. This is commonly known as a "subject access request." We will respond to your request within one month.

3. Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you. We will update your information promptly upon verification.

4. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right is not absolute and may be limited by legal obligations to retain certain data.

5. Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain circumstances, such as when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want the data erased
• We no longer need the data but you need it for legal claims
• You have objected to processing and verification is pending

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible.

7. Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

• Email: [email protected]
• Write to: 45 Albemarle Street, Mayfair, London W1S 4JL, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you if this is necessary.

We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or refuse to act on the request.

Data Security Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and vulnerability testing
• Access controls limiting who can access personal data
• Staff training on data protection and security
• Secure backup and disaster recovery procedures
• Regular review and update of security policies

Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Inform affected individuals without undue delay if the breach poses a high risk to their rights
• Document the breach, including facts, effects, and remedial action taken
• Take immediate steps to contain and minimize the impact of the breach

Third-Party Data Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they:

• Provide sufficient guarantees of appropriate security measures
• Process data only on our documented instructions
• Maintain confidentiality of personal data
• Implement appropriate technical and organizational measures
• Assist us in responding to data subject requests

We have written contracts in place with all data processors as required by UK GDPR.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations. Our retention periods are based on:

• The nature of the data and why it was collected
• Legal and regulatory requirements
• Whether we have a legitimate business need to retain the data

For specific retention periods, please refer to our Privacy Policy.

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the UK authorities
• Binding corporate rules

Children's Data

We do not knowingly process personal data of children under 18 years of age without parental consent. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that information.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: gentle-mountain.com

However, we encourage you to contact us first so we can address your concerns directly.

Updates to GDPR Compliance

We regularly review our GDPR compliance procedures to ensure they remain effective and up to date with legal requirements. This page will be updated to reflect any significant changes to our approach.

Contact Our Data Protection Officer

For questions specifically related to GDPR compliance and data protection, please contact us at [email protected] with "Data Protection Inquiry" in the subject line.