GDPR Compliance

Your data protection rights under UK GDPR

Our Commitment to GDPR Compliance

Crimson Cavern is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about how we meet our obligations and protect your rights.

Data Controller Information

For the purposes of UK GDPR, Crimson Cavern is the data controller responsible for your personal data.

Company Name: Crimson Cavern
Registered Address: 47 Wellington Street, Manchester M3 2EQ, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing Personal Data

We only process personal data when we have a lawful basis for doing so. Our processing activities rely on the following legal grounds under Article 6 of UK GDPR:

Performance of a Contract

When you engage our services, we process your personal data to fulfill our contractual obligations to you. This includes assessing benefit eligibility, preparing applications, providing representation, and delivering the advisory services you have requested.

Legitimate Interests

We process certain data based on our legitimate business interests, including:

  • Operating and managing our business effectively
  • Maintaining quality standards through case review and staff training
  • Preventing fraud and ensuring security of our systems
  • Improving our services based on feedback and outcomes
  • Communicating with you about your case

We carefully balance these interests against your rights and freedoms to ensure processing is justified and proportionate.

Legal Obligation

We process personal data when required to comply with legal requirements, such as maintaining records for regulatory purposes, responding to court orders, or cooperating with law enforcement where legally mandated.

Consent

For processing special category data (such as health information) or where required by law, we obtain your explicit, informed consent. You have the right to withdraw this consent at any time.

Special Category Data

Due to the nature of benefits advice, we often process special category data as defined in Article 9 of UK GDPR, including:

  • Health and medical information
  • Information about disabilities
  • Genetic and biometric data in some cases

We process this sensitive information only when necessary for our services and with your explicit consent. Additional safeguards apply to protect this data, including enhanced access restrictions and specialized staff training.

Your Rights Under UK GDPR

UK GDPR grants you several important rights regarding your personal data. We respect these rights and have procedures in place to facilitate their exercise.

Right to Access (Article 15)

You have the right to obtain confirmation that we process your personal data and to receive a copy of that data. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request, along with details about how we use your data and who we share it with.

Right to Rectification (Article 16)

If personal data we hold about you is inaccurate or incomplete, you can request correction or completion. We will update our records promptly and notify any third parties with whom we have shared the data.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected, or if you withdraw consent. However, this right is not absolute, and we may need to retain certain information to comply with legal obligations or for legitimate interests such as defending legal claims.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data in specific situations, such as when you contest the accuracy of data or object to processing. During a restriction period, we will store the data but not actively process it without your consent, except for certain limited purposes.

Right to Data Portability (Article 20)

Where technically feasible, you can request that we transfer your personal data directly to another organization in a structured, commonly used, and machine-readable format. This right applies to data you provided to us based on consent or contract and that we process by automated means.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently use fully automated decision-making processes in our services.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us in writing:

  • Email: [email protected] with "Data Rights Request" in the subject line
  • Post: Data Protection Officer, Crimson Cavern, 47 Wellington Street, Manchester M3 2EQ, United Kingdom

Please include the following in your request:

  • Your full name and contact details
  • Sufficient information to identify you and locate your data
  • Specific right you wish to exercise
  • Any relevant details or context

We will verify your identity before fulfilling any request to protect your data from unauthorized access. We typically respond within one month, though complex requests may take up to three months with notification of the extension.

Data Protection Principles

In all our data processing activities, we adhere to the core principles set out in Article 5 of UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We inform you about our processing activities and provide clear explanations of how we use your information.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimization

We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes we have identified.

Accuracy

We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. We promptly correct or delete inaccurate data.

Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to meet legal obligations. Our standard retention period for case files is seven years after case closure.

Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure security of personal data, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Accountability

We take responsibility for our data protection compliance and can demonstrate adherence to GDPR principles through policies, procedures, training records, and documentation.

Data Security Measures

We implement robust security measures in accordance with Article 32 of UK GDPR, including:

  • Encryption of data in transit and at rest
  • Pseudonymization where appropriate
  • Regular security assessments and penetration testing
  • Access controls limiting data access to authorized personnel only
  • Staff training on data protection and security best practices
  • Secure disposal procedures for data no longer required
  • Business continuity and disaster recovery plans
  • Regular backups with secure storage

Data Breach Procedures

In the unlikely event of a personal data breach, we have procedures in place to:

  • Detect and respond to breaches promptly
  • Assess the risk to individuals' rights and freedoms
  • Notify the Information Commissioner's Office within 72 hours where required
  • Communicate with affected individuals without undue delay if there is a high risk to their rights
  • Document all breaches and our response measures
  • Implement measures to prevent recurrence

Third-Party Data Processors

When we engage third-party service providers who process personal data on our behalf, we ensure:

  • Written contracts are in place meeting Article 28 requirements
  • Processors provide sufficient guarantees of security and compliance
  • Processing occurs only on our documented instructions
  • Processors maintain appropriate technical and organizational measures
  • Regular audits and assessments of processor compliance

International Data Transfers

We primarily process and store data within the United Kingdom. If we need to transfer data internationally, we ensure appropriate safeguards are in place such as:

  • Adequacy decisions recognized by UK authorities
  • Standard contractual clauses approved by UK authorities
  • Binding corporate rules where applicable

Data Protection Impact Assessments

For processing activities that are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35. These assessments help us identify and minimize data protection risks.

Privacy by Design and Default

We embed data protection principles into our systems, processes, and services from the outset. This includes implementing appropriate technical and organizational measures to ensure that, by default, we only process personal data necessary for each specific purpose.

Record Keeping

In accordance with Article 30 of UK GDPR, we maintain detailed records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients to whom data has been disclosed
  • International transfers and safeguards
  • Retention periods
  • Security measures

Children's Data

While our services primarily target adults, we may process data relating to children when providing family benefits advice. When processing children's data, we take extra care to ensure information is appropriate and protected, with parental consent obtained where necessary.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the supervisory authority.

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we can attempt to resolve any concerns directly.

Updates to GDPR Compliance

We regularly review and update our data protection practices to ensure ongoing compliance with UK GDPR and evolving best practices. Significant changes will be communicated through our privacy policy updates.

Contact Our Data Protection Team

For questions about our GDPR compliance, data protection practices, or to exercise your rights, contact us at:

Email: [email protected]
Post: Data Protection Officer, Crimson Cavern, 47 Wellington Street, Manchester M3 2EQ, United Kingdom