GDPR Compliance

Understanding your data protection rights and our compliance commitments

Our Commitment to Data Protection

Sparkling Labyrinth Ltd fully complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities as a data controller seriously and have implemented comprehensive policies, procedures, and technical measures to ensure your personal information is processed lawfully, fairly, and transparently.

Data Protection Principles

We adhere to the fundamental principles that govern all our data processing activities:

Lawfulness, Fairness, and Transparency

We process personal information only where we have a valid legal basis. We clearly communicate what information we collect, why we collect it, and how we use it. Our processing practices are fair and do not adversely affect individuals in ways they would not reasonably expect.

Purpose Limitation

Personal information is collected for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with the original purposes for which it was collected, unless we obtain additional consent or have another legal basis for doing so.

Data Minimisation

We collect and process only the personal information that is adequate, relevant, and necessary for the purposes we have identified. We do not request or retain information beyond what is required to deliver our services and meet our legal obligations.

Accuracy

We take reasonable steps to ensure personal information is accurate and kept up to date. Where we become aware of inaccuracies, we correct or delete the information promptly. We also provide mechanisms for individuals to update their information.

Storage Limitation

Personal information is retained only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal requirements. We have established retention schedules that specify how long different categories of information are kept.

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security practices are regularly reviewed and updated.

Accountability

We take responsibility for compliance with data protection law and can demonstrate our adherence to these principles through documentation, policies, training records, and regular compliance reviews.

Your Data Subject Rights

UK GDPR provides individuals with specific rights regarding their personal information. We facilitate the exercise of these rights and respond to requests promptly and thoroughly.

Right of Access

You have the right to obtain confirmation of whether we process your personal information and, if so, to access that information along with details about:

  • The purposes of the processing
  • The categories of personal information concerned
  • The recipients or categories of recipients to whom data has been or will be disclosed
  • The envisaged period for which data will be stored
  • Your rights to rectification, erasure, or restriction
  • Your right to lodge a complaint with the ICO
  • The source of the information if not collected directly from you

We provide one copy of your information free of charge. Subsequent copies may incur a reasonable administrative fee.

Right to Rectification

You can request correction of inaccurate personal information and completion of incomplete information. We will make necessary corrections within one month and notify any third parties to whom the information has been disclosed unless this proves impossible or involves disproportionate effort.

Right to Erasure

You may request deletion of your personal information where:

  • The information is no longer necessary for the purposes for which it was collected
  • You withdraw consent on which processing is based and no other legal ground exists
  • You object to processing based on legitimate interests and no overriding legitimate grounds exist
  • The information has been unlawfully processed
  • Deletion is required for compliance with a legal obligation

This right is not absolute. We may refuse erasure where processing is necessary for compliance with legal obligations, establishment or defence of legal claims, or other specified reasons under UK GDPR.

Right to Restriction of Processing

You can request that we limit how we use your personal information in certain circumstances:

  • You contest the accuracy of the information while we verify accuracy
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the information but you require it for legal claims
  • You have objected to processing based on legitimate interests while we verify whether our grounds override yours

Where processing is restricted, we may store the information but not use it further without your consent or for specified legal purposes.

Right to Data Portability

For personal information you have provided to us where processing is based on consent or contract and carried out by automated means, you have the right to:

  • Receive a copy of that information in a structured, commonly used, and machine-readable format
  • Request that we transmit this information directly to another controller where technically feasible

This right does not apply to information processed for public interest tasks or in exercise of official authority vested in us.

Right to Object

You may object to processing of your personal information where we rely on legitimate interests as our legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for establishment, exercise, or defence of legal claims.

You have an absolute right to object to processing for direct marketing purposes. We will cease such processing immediately upon receiving your objection.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making that would trigger this protection, but if our practices change, we will ensure appropriate safeguards are in place.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

Email: [email protected]
Post: Data Protection Officer, Sparkling Labyrinth Ltd, 15 Queensway House, Redcliffe Way, Bristol BS1 6NL

Please provide sufficient information to identify yourself and specify the right you wish to exercise. We may request additional verification to confirm your identity before responding to sensitive requests.

We will respond to requests within one month of receipt. In complex cases or where we receive multiple requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it within the original one-month period.

Data Protection Officer

We have appointed a Data Protection Officer responsible for overseeing our compliance with data protection law and serving as a point of contact for data subjects and supervisory authorities.

Our DPO can be contacted regarding any aspect of data protection compliance, questions about how we process personal information, or concerns about our practices:

Michael Chen
Data Protection Officer
Sparkling Labyrinth Ltd
[email protected]

Lawful Bases for Processing

We process personal information only where we have identified an appropriate lawful basis under UK GDPR:

Contract Performance

Processing necessary to deliver training services under agreements with clients and participants, including programme administration, materials provision, attendance tracking, certification, and billing.

Legal Obligation

Processing required to comply with legal duties including financial record-keeping for tax purposes, health and safety obligations, and professional body reporting requirements.

Legitimate Interests

Processing necessary for purposes that serve our legitimate business interests or those of third parties, provided these interests are not overridden by individual rights and freedoms. This includes:

  • Client relationship management and communication
  • Service improvement and quality assurance
  • Business planning and strategic development
  • Prevention of fraud and security threats
  • Network and information systems security

We have conducted assessments to ensure our legitimate interest processing is necessary, proportionate, and respects individual rights.

Consent

Processing based on freely given, specific, informed, and unambiguous consent for particular purposes, primarily marketing communications not covered by other legal bases. Consent may be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

International Transfers

When we transfer personal information outside the United Kingdom, we ensure appropriate safeguards are in place as required by UK GDPR. These may include:

  • Transfers to countries with adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by UK authorities
  • Binding corporate rules for transfers within multinational organisations
  • Certifications under approved schemes

We document all international transfers and the safeguards applied to ensure compliance and accountability.

Data Breach Notification

We have procedures in place to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to individual rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to rights and freedoms, we will also notify affected individuals without undue delay, providing information about the nature of the breach, likely consequences, and measures taken or proposed to address it.

Supervisory Authority

The Information Commissioner's Office is the UK supervisory authority for data protection. You have the right to lodge a complaint with the ICO if you believe our processing of your personal information violates data protection law:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: sparkling-labyrinth.com
Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you approach the ICO, so please consider contacting us first.

Updates to This Information

We review our GDPR compliance regularly and update this information as necessary to reflect changes in our processing activities or legal requirements. Please check this page periodically for the latest information about our data protection practices.