Home About Services Contact

GDPR Compliance

Last updated: January 2024

lakeshadow-retreat is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about our approach to data protection and your rights as a data subject.

Our Role Under GDPR

When you engage our services or interact with our website, lakeshadow-retreat acts as a data controller for personal information we collect directly from you. In situations where we process data on behalf of clients during project delivery, we may also act as a data processor under the client's instructions.

Data Controller Information

lakeshadow-retreat Ltd
Company Registration: 09847263
ICO Registration: ZA482916
Unit 4, Riverside Business Centre
Chapel Street, Salford M3 5BN
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases defined in Article 6 of the UK GDPR:

Contract Performance (Article 6(1)(b))

Processing necessary to deliver services you have contracted us to provide. This includes:

  • Managing project communications and deliverables
  • Processing invoices and payments
  • Providing agreed support and maintenance

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, where such interests do not override your fundamental rights. This includes:

  • Responding to business enquiries
  • Improving our services based on feedback and usage patterns
  • Protecting our business against fraud and security threats
  • Maintaining records for business administration

Consent (Article 6(1)(a))

Where you have given explicit consent for specific processing activities:

  • Receiving marketing communications about our services
  • Using non-essential cookies on our website

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements:

  • Financial record-keeping for tax purposes
  • Responding to lawful requests from authorities

Your Rights Under UK GDPR

Right to Access (Article 15)

You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about how it is processed. We will respond to access requests within one month of receipt.

Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. We will make corrections without undue delay and inform any third parties with whom data has been shared.

Right to Erasure (Article 17)

In certain circumstances, you may request deletion of your personal data. This right applies when:

  • Data is no longer necessary for the purpose it was collected
  • You withdraw consent (where consent is the lawful basis)
  • You object to processing based on legitimate interests
  • Data has been unlawfully processed

Note that this right does not apply where we have legal obligations to retain data or legitimate grounds that override the request.

Right to Restriction (Article 18)

You may request restriction of processing while we verify the accuracy of data you have contested, or where processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)

We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects. Should this change, we will inform you and provide appropriate safeguards.

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] or write to our postal address. To protect your privacy, we may need to verify your identity before processing your request.

We will respond to requests within one month. If a request is complex or we receive numerous requests, we may extend this period by up to two additional months, informing you of the extension within the initial month.

Data Protection Measures

We implement technical and organisational measures to protect personal data as required by Article 32:

  • Encryption of personal data during transmission (TLS) and storage (AES-256)
  • Access controls ensuring data is only accessible to authorised personnel
  • Regular testing and evaluation of security measures
  • Staff training on data protection obligations
  • Incident response procedures for potential data breaches
  • Regular data protection impact assessments for high-risk processing

Data Breach Procedures

In the event of a personal data breach, we will:

  • Assess the risk to individuals' rights and freedoms
  • Notify the Information Commissioner's Office within 72 hours where required
  • Communicate directly with affected individuals where the breach is likely to result in high risk
  • Document all breaches and our response actions

International Data Transfers

Where we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place as required by Chapter V of the UK GDPR:

  • Transfers to countries with adequacy decisions from the UK Government
  • Standard Contractual Clauses approved by the Information Commissioner
  • Binding corporate rules where applicable

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including:

  • Large-scale processing of sensitive categories of data
  • Systematic monitoring of publicly accessible areas
  • Use of new technologies that may impact privacy

Record of Processing Activities

As required by Article 30, we maintain records of our processing activities, including:

  • Categories of data subjects and personal data
  • Purposes of processing
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Description of security measures

Complaints

If you are dissatisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Updates to This Information

We review our data protection practices regularly and will update this page as necessary. Material changes affecting your rights will be communicated directly to those affected.