GDPR Compliance

Our Commitment to Data Protection

Prime Idea Benefits Advisory Ltd is fully committed to complying with the UK General Data Protection Regulation and the Data Protection Act 2018. We recognize that protecting your personal information is both a legal obligation and a fundamental aspect of maintaining your trust.

This document outlines our GDPR compliance measures and explains your rights as a data subject in detail.

Data Controller Information

Prime Idea Benefits Advisory Ltd acts as the data controller for personal information collected through our services and website. This means we determine the purposes and means of processing your personal data.

Registered Name: Prime Idea Benefits Advisory Ltd

Registration Number: Company Number 08745621

Registered Address: 42 Wellington Street, Leeds, LS1 4AB, United Kingdom

Contact Email: [email protected]

We are registered with the Information Commissioner's Office and maintain active registration in accordance with data protection legislation.

Lawful Basis for Processing

We process personal data only when we have a valid legal basis to do so. The specific basis depends on the type of processing and the nature of the data involved.

Contractual Necessity

When you engage our services, processing your personal data becomes necessary to fulfill our contractual obligations. We cannot provide benefit advisory services without collecting and using information about your circumstances.

Legitimate Interests

For certain processing activities, we rely on legitimate interests as our legal basis. This includes maintaining business records, improving our services, preventing fraud, and ensuring network security. We carefully assess whether these interests might negatively impact your rights and freedoms before relying on this basis.

Legal Obligations

Some data processing is required to comply with legal and regulatory requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Consent

For processing sensitive personal data, particularly health information, we obtain your explicit consent. This consent is freely given, specific, informed, and can be withdrawn at any time without affecting the lawfulness of processing conducted before withdrawal.

Data Subject Rights

Under UK GDPR, you possess comprehensive rights regarding your personal data. We facilitate the exercise of these rights and respond to requests promptly.

Right to Be Informed

You have the right to clear, transparent information about how we collect and use personal data. This GDPR statement and our Privacy Policy fulfill this obligation by explaining our data processing activities in accessible language.

Right of Access

You can request confirmation of whether we process your personal data and, if so, access to that data along with supplementary information about how it's being used. We provide this information in a commonly used electronic format unless you request otherwise.

Right to Rectification

When personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We'll make amendments without undue delay and notify any third parties to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.

Right to Erasure

Also known as the right to be forgotten, this allows you to request deletion of your personal data in specific circumstances, such as when it's no longer necessary for the purposes it was collected, when you withdraw consent, or when you object to processing and no overriding legitimate grounds exist.

However, this right is not absolute. We may need to retain certain information to comply with legal obligations, establish or defend legal claims, or for other legitimate purposes.

Right to Restrict Processing

You can request restriction of processing in situations such as when you contest the accuracy of data, when processing is unlawful but you don't want erasure, when we no longer need the data but you require it for legal claims, or while we verify whether our legitimate grounds override your objection to processing.

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, machine-readable format. This applies to data you've provided to us where processing is based on consent or contract and is carried out by automated means.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. When you object, we'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. We do not engage in automated decision making of this nature.

Exercising Your Rights

To exercise any of your data subject rights, contact us at [email protected] or write to our registered address. Please provide sufficient information to allow us to verify your identity and locate your data.

We respond to all valid requests within one month of receipt. In complex cases or when multiple requests are made simultaneously, we may extend this period by two additional months, notifying you of the extension and explaining the reasons for the delay.

We do not charge fees for handling data subject requests unless they are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee based on administrative costs or refuse to act on the request.

Data Protection Principles

Our data processing activities adhere to the core principles established by UK GDPR.

Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate our processing activities and ensure individuals understand how their data is being used.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimization

We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it's processed. We don't gather excessive information simply because it might be useful in future.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected. When data is no longer needed, we securely delete or anonymize it.

Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure personal data security, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Accountability

We take responsibility for complying with GDPR principles and can demonstrate our compliance through documentation, policies, and regular reviews of our data processing activities.

Security Measures

We implement robust security measures appropriate to the risks presented by our processing activities and the nature of the personal data we handle.

Technical measures include encrypted data storage, secure network infrastructure, regular security updates, access controls, and audit logging. Organizational measures include staff training on data protection, clear policies and procedures, regular security assessments, and incident response protocols.

We regularly review and update these measures to address emerging threats and maintain the highest standards of data security.

Data Breach Procedures

Despite our security measures, data breaches can occur. We have established procedures to detect, report, and investigate breaches in accordance with GDPR requirements.

If a breach is likely to result in a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours of becoming aware of it. If the breach poses a high risk to your rights and freedoms, we'll also notify you directly without undue delay, providing information about the nature of the breach and the measures we're taking to address it.

International Data Transfers

We primarily store and process personal data within the United Kingdom. Should we need to transfer data internationally, we ensure appropriate safeguards are in place, such as adequacy decisions by the UK government, standard contractual clauses, or other approved mechanisms.

Any international transfers comply fully with UK GDPR requirements, ensuring your data receives equivalent protection regardless of where it's processed.

Third-Party Processing

When we engage third-party service providers who process personal data on our behalf, they act as data processors under our instruction. We ensure all processors provide sufficient guarantees of their data protection compliance and enter into written contracts that specify their obligations.

We remain responsible for the processing activities of our processors and regularly review their security measures and compliance status.

Children's Privacy

Our services are not directed at children under the age of thirteen. We do not knowingly collect personal data from children without appropriate parental consent. If you believe we've inadvertently collected information from a child, please contact us immediately so we can delete it.

When providing services that involve children as part of a family unit, we obtain consent from parents or guardians before processing any information about minors.

Updates to This Statement

We review this GDPR compliance statement regularly and update it as necessary to reflect changes in our processing activities, legal requirements, or best practices. The current version is always available on our website with the last updated date clearly displayed.

Significant changes are communicated to active clients directly, ensuring you remain informed about how we protect your personal data.

Supervisory Authority

The Information Commissioner's Office serves as the supervisory authority for data protection matters in the United Kingdom. If you have concerns about our data processing activities that we haven't adequately addressed, you have the right to lodge a complaint with the ICO.

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

However, we encourage you to contact us first so we can attempt to resolve your concerns directly.

Contact Us

For questions, concerns, or requests regarding our GDPR compliance or your data protection rights, please contact us at [email protected] or write to Prime Idea Benefits Advisory Ltd, 42 Wellington Street, Leeds, LS1 4AB, United Kingdom.

We take all data protection inquiries seriously and respond promptly to ensure your rights are respected and your concerns are addressed.