GDPR Compliance

Understanding your data protection rights

Our Commitment to Data Protection

WisePoint Quest operates in full compliance with the General Data Protection Regulation (GDPR) and UK data protection legislation. We believe these regulations represent important protections for individuals, and we've designed our data practices to respect your rights and privacy.

This page explains how we meet our obligations under GDPR and how you can exercise your rights regarding personal data we process.

Legal Basis for Processing

We process personal data only when we have a lawful basis to do so. In most cases, this basis is one of the following:

Contract Performance: When you book a session or workshop, processing your information is necessary to fulfil that contract. This includes your contact details, booking preferences, and payment information.

Legitimate Interests: We have legitimate business interests in maintaining client records, improving our services, and communicating about offerings that might interest previous clients. We balance these interests against your rights and only proceed when we believe processing is reasonable and appropriate.

Consent: For certain activities like marketing communications to individuals who haven't previously used our services, we rely on explicit consent. You can withdraw this consent at any time.

Legal Obligations: Some data retention is required by law, particularly financial records for tax and accounting purposes.

Your Rights Under GDPR

The GDPR grants you several important rights regarding your personal data. We've outlined each right and how to exercise it below.

Right to Access

You may request confirmation of whether we process your personal data and, if so, access to that data along with information about how we use it. We'll provide this information free of charge in a commonly used electronic format, typically within one month of your request.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. We'll make the corrections promptly and inform any third parties with whom we've shared the information where appropriate.

Right to Erasure

Also known as the right to be forgotten, this allows you to request deletion of your personal data in certain circumstances. We'll comply unless we have compelling legitimate grounds to retain the information or legal obligations that require retention.

For example, we must retain some financial records for seven years for tax purposes, but we'll delete other information like marketing preferences or notes about your culinary interests immediately upon request.

Right to Restrict Processing

You can ask us to limit how we use your data in specific situations, such as when you contest the accuracy of information or object to processing based on legitimate interests. During the restriction period, we'll store the data but not use it except in limited circumstances or with your consent.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can request a copy of your personal data in a structured, commonly used, machine-readable format. You can also ask us to transmit this data directly to another organisation where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. For marketing, we'll stop processing immediately upon receiving your objection. For other legitimate interest processing, we'll cease unless we can demonstrate compelling grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. Our interactions with clients are handled by real people who exercise judgment and discretion.

How to Exercise Your Rights

To exercise any of these rights, contact us by email at [email protected] or write to us at 42 Culinary Lane, Bristol BS1 4QA, United Kingdom.

Please include enough information to help us identify your records and understand which right you wish to exercise. For security purposes, we may ask you to verify your identity before fulfilling requests that involve accessing or changing personal data.

We aim to respond to all requests within one month. If your request is particularly complex or we receive multiple requests from you, we may extend this period by two additional months, but we'll inform you of any extension and explain the reasons.

Data Security Measures

We implement appropriate technical and organisational safeguards to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls limiting who can view personal data
  • Staff training on data protection principles
  • Secure backup and disaster recovery procedures
  • Contracts with third-party processors requiring appropriate security measures

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we'll notify you without undue delay and provide information about the nature of the breach, its likely consequences, and measures we're taking to address it.

We'll also notify the Information Commissioner's Office within 72 hours of becoming aware of a breach that meets the regulatory threshold for reporting.

International Data Transfers

We primarily store and process data within the United Kingdom and European Economic Area. If we transfer data outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by regulatory authorities.

Currently, the only international transfers occur when using certain cloud service providers who may store data in multiple jurisdictions. These providers are contractually obligated to maintain GDPR-compliant protections regardless of data location.

Data Protection Officer

Given our size and the nature of our processing activities, we are not required to appoint a dedicated Data Protection Officer. However, data protection responsibilities are taken seriously by our management team, and enquiries are handled with the same care as if a DPO were in place.

Supervisory Authority

While we hope to resolve any concerns you have about our data practices directly, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Information

We review our GDPR compliance regularly and update this page when our practices change or regulations evolve. Significant changes will be communicated to active clients where appropriate.

Questions

If you have questions about our GDPR compliance or how we protect your data rights, please contact us at [email protected]. We're committed to transparency and will gladly explain our practices in more detail.