This page outlines how Sable Ruins Style Consultancy Ltd complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take your data protection rights seriously and are committed to handling your personal information responsibly and transparently.
Our Commitment to Data Protection
As a data controller, we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this document.
We are committed to:
- Processing personal data lawfully, fairly, and transparently
- Collecting data only for specified, explicit, and legitimate purposes
- Ensuring data is adequate, relevant, and limited to what is necessary
- Keeping data accurate and up to date
- Retaining data only for as long as necessary
- Implementing appropriate security measures
Data Controller Information
Your Data Protection Rights
Under the UK GDPR, you have the following rights regarding your personal data:
Right to Be Informed
You have the right to receive clear, transparent information about how we use your personal data. This is provided through our Privacy Policy and this GDPR page.
Right of Access
You can request a copy of all personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will respond within one month of receiving your request and verification of your identity.
Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We aim to process rectification requests within one month.
Right to Erasure
Also known as the "right to be forgotten", you can request deletion of your personal data where:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required by law
This right is not absolute and may not apply where we have legal obligations to retain data.
Right to Restrict Processing
You can request that we limit how we use your data while concerns about accuracy or lawfulness are resolved, or while we consider an objection you have raised.
Right to Data Portability
Where technically feasible, you can request a copy of your personal data in a structured, commonly used, machine-readable format, or request that we transfer it directly to another organisation.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making in our services.
How to Exercise Your Rights
To exercise any of your data protection rights, please contact us at [email protected] with your request. To help us process your request efficiently, please:
- Clearly state which right you wish to exercise
- Provide sufficient information for us to verify your identity
- Include any relevant details about the specific data or processing concerned
We will respond to all legitimate requests within one month. Occasionally, we may need to extend this period by up to two additional months for complex requests, in which case we will inform you within the first month.
There is generally no fee for exercising your rights. However, we may charge a reasonable fee or refuse to comply if a request is manifestly unfounded or excessive.
Lawful Basis for Processing
We process personal data under the following lawful bases:
Contract Performance
Processing necessary to fulfil our contractual obligations to you when you book our styling services, including managing appointments, delivering consultations, and providing style recommendations.
Legitimate Interests
Processing necessary for our legitimate business interests, such as improving our services, managing client relationships, and marketing our services to existing clients. We always balance these interests against your rights and freedoms.
Consent
Where you have given explicit consent to specific processing activities, such as receiving marketing communications or the use of certain cookies. You may withdraw consent at any time by contacting us.
Legal Obligation
Processing necessary to comply with legal requirements, such as maintaining financial records for tax purposes or responding to legal proceedings.
Data Security Measures
We have implemented appropriate technical and organisational measures to ensure security of personal data, including:
- Encryption of personal data both in transit and at rest
- Access controls limiting data access to authorised personnel
- Regular security reviews and vulnerability assessments
- Secure backup procedures and disaster recovery plans
- Staff training on data protection and security practices
- Incident response procedures for data breaches
Data Breach Procedures
In the event of a personal data breach, we have procedures in place to:
- Detect and investigate the breach promptly
- Assess the risk to individuals' rights and freedoms
- Notify the Information Commissioner's Office within 72 hours where required
- Notify affected individuals without undue delay where there is high risk
- Document the breach and our response
- Take steps to mitigate any adverse effects
International Data Transfers
Your data is primarily processed within the United Kingdom. If we transfer personal data outside the UK, we ensure that adequate safeguards are in place, such as:
- Transfers to countries with adequate data protection laws as recognised by the UK
- Standard Contractual Clauses approved by the Information Commissioner's Office
- Binding Corporate Rules where applicable
Third-Party Processors
Where we engage third-party processors to handle personal data on our behalf, we ensure that:
- Written contracts are in place meeting GDPR requirements
- Processors provide sufficient guarantees of compliance
- Appropriate security measures are implemented
- Data is only processed according to our documented instructions
Complaints
If you are unhappy with how we have handled your personal data or responded to a request, you have the right to complain to the Information Commissioner's Office (ICO):
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first if possible.
Updates to This Information
We may update this GDPR information from time to time to reflect changes in our practices or legal requirements. Any significant changes will be communicated through our website. We recommend reviewing this page periodically.