GDPR Compliance

Your data protection rights and our compliance commitments

Our Commitment to GDPR

breezy-cabrio Ltd is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We implement appropriate technical and organisational measures to ensure the protection of personal data we process.

Data Controller Information

For the purposes of UK GDPR, the data controller is:

breezy-cabrio Ltd
Company Registration Number: 09248761
Registered Address: 25 Cavendish Square, London W1G 0PN, United Kingdom
Email: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request access to your personal data and receive a copy of the information we hold about you. This is commonly known as a "subject access request." We will respond within one month of receiving your request.

To make a subject access request, please email [email protected] with:

  • Your full name
  • Contact details
  • Description of the information you're requesting
  • Proof of identity (if we cannot verify your identity from existing records)

Right to Rectification

If the personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will update your information within one month and notify any third parties with whom we've shared your data.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

This right is not absolute and may not apply if we need to retain data for legal obligations or legitimate business purposes.

Right to Restriction of Processing

You can request that we restrict how we use your personal data in certain situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification of legitimate grounds

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

This right applies when:

  • Processing is based on your consent or a contract
  • Processing is carried out by automated means

Right to Object

You can object to processing of your personal data where:

  • Processing is based on legitimate interests
  • Processing is for direct marketing purposes
  • Processing is for research or statistical purposes

When you object to direct marketing, we will stop processing your data for that purpose immediately.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently use automated decision-making processes.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Email: [email protected]
Subject line: GDPR Rights Request
Include: Your name, contact details, and specific request

We will respond to your request within one month. In complex cases, this may be extended by two additional months, and we will inform you of any extension and the reasons for it.

We do not charge a fee for processing most requests. However, we may charge a reasonable fee or refuse to act on a request if it is clearly unfounded, repetitive, or excessive.

Lawful Basis for Processing

We only process personal data when we have a lawful basis to do so. Our lawful bases include:

Consent

We process data based on your explicit consent for specific purposes, such as marketing communications. You can withdraw consent at any time by contacting us or using the unsubscribe link in communications.

Contract

Processing is necessary to fulfil our contractual obligations when you engage our services, including project delivery, invoicing, and client support.

Legal Obligation

We process data to comply with legal requirements, such as tax regulations, employment law, and industry-specific regulations.

Legitimate Interests

We process data for legitimate business interests, such as improving our services, detecting fraud, and maintaining security. We always balance these interests against your rights and freedoms.

Data Protection by Design and Default

We implement data protection principles throughout our operations:

  • Privacy considerations are integrated into system design and development
  • We collect only necessary data and retain it only as long as needed
  • Access to personal data is restricted to authorised personnel
  • Default settings prioritise privacy protection
  • Regular reviews ensure ongoing compliance with data protection principles

Data Security Measures

We maintain appropriate technical and organisational security measures to protect personal data:

  • Encryption of data in transit using TLS protocols
  • Encryption of sensitive data at rest
  • Multi-factor authentication for system access
  • Regular security audits and vulnerability assessments
  • Employee training on data protection and security
  • Incident response procedures and breach notification protocols
  • Secure disposal of data when no longer required

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Document all breaches, including facts, effects, and remedial actions taken
  • Take immediate steps to mitigate harm and prevent future breaches

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we:

  • Conduct due diligence to ensure appropriate security measures
  • Establish written data processing agreements
  • Ensure processors only act on our documented instructions
  • Monitor compliance with contractual obligations
  • Verify that processors maintain adequate security standards

International Data Transfers

When transferring personal data outside the United Kingdom, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions recognised by UK authorities
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules for intra-group transfers
  • Additional security measures as required by transfer impact assessments

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms. This includes:

  • New technologies or processing methods
  • Large-scale processing of sensitive data
  • Systematic monitoring of public areas
  • Automated decision-making with significant effects

Record of Processing Activities

We maintain comprehensive records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients of personal data
  • Details of international transfers
  • Retention periods
  • Technical and organisational security measures

Children's Data

Our services are not directed to children under 18, and we do not knowingly collect or process data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Updates to Compliance Practices

We regularly review and update our data protection practices to ensure ongoing compliance with UK GDPR requirements. Material changes will be communicated through our website and, where appropriate, direct notification to affected individuals.

Making a Complaint

If you believe we have not handled your personal data appropriately or wish to raise concerns about our data protection practices, please contact us first at [email protected].

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: www.breezy-cabrio.com
Email: [email protected]

Contact Information

For questions about GDPR compliance or to exercise your data protection rights:

breezy-cabrio Ltd
25 Cavendish Square
London W1G 0PN
United Kingdom
Email: [email protected]