GDPR Compliance

Last updated: January 2024

luminous-plume is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about our compliance measures and your rights under these regulations.

Our Commitment to Data Protection

We recognise that personal data protection is fundamental to maintaining trust with our clients and website visitors. Our approach to data protection is built on the principles of transparency, accountability, and respect for individual privacy rights.

We process personal data lawfully, fairly, and in a transparent manner. Data is collected only for specified, explicit, and legitimate purposes, and we do not process it in ways incompatible with those purposes.

Data Controller Information

For the purposes of UK GDPR, luminous-plume acts as the data controller for personal information collected through our website and service delivery activities.

Contact details:
luminous-plume
14 Chancery Lane
London EC4A 1BN
Email: [email protected]

Lawful Bases for Processing

We only process personal data when we have a valid legal basis to do so. The lawful bases we rely upon include:

Contractual Necessity

We process data necessary to perform contracts with our clients, including delivering research services, managing engagements, and handling payments.

Legitimate Interests

We may process data based on our legitimate business interests where these do not override your rights and freedoms. Examples include responding to enquiries, maintaining business records, and improving our services. We conduct balancing assessments to ensure our interests do not unfairly impact you.

Consent

Where required, we obtain your consent before processing data. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time by contacting us.

Legal Obligation

We process data as necessary to comply with legal requirements, such as tax regulations and professional standards.

Your Rights Under UK GDPR

UK GDPR provides you with specific rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you. We will provide this within one month of receiving your request, along with information about how we process your data.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request correction. We will update records within one month or explain why we cannot.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. This applies when data is no longer necessary for its original purpose, you withdraw consent, or data was unlawfully processed.

Right to Restrict Processing

You can request that we limit how we use your data while we address concerns about accuracy or our legal basis for processing.

Right to Data Portability

Where technically feasible, you can request your data in a commonly used, machine-readable format for transfer to another organisation.

Right to Object

You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at [email protected]. Include sufficient information to verify your identity and specify which right you wish to exercise.

We respond to all legitimate requests within one month. If a request is particularly complex, we may extend this by up to two additional months, but we will inform you of any extension and explain the reasons.

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

Data Protection Measures

We implement appropriate technical and organisational measures to ensure data security:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security assessments and updates
  • Staff training on data protection practices
  • Incident response procedures for potential breaches
  • Secure disposal of data no longer required

Data Breach Procedures

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours where feasible. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

International Transfers

We primarily process data within the United Kingdom. If we need to transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, before any transfer occurs.

Data Protection Impact Assessments

For processing activities likely to result in high risks to individuals, we conduct Data Protection Impact Assessments to identify and minimise those risks before processing begins.

Supervisory Authority

The UK supervisory authority for data protection is the Information Commissioner's Office (ICO). If you believe your data protection rights have been infringed, you have the right to lodge a complaint:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: luminous-plume.com
Helpline: 0303 123 1113

Updates to This Information

We may update this GDPR compliance information periodically. Significant changes will be communicated through our website. We encourage you to review this page regularly.

Further Information

For more details about how we handle personal data, please see our Privacy Policy and Cookie Policy.

If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected].