GDPR Compliance

Your data protection rights explained

Last updated: January 2024

Our Commitment to Data Protection

calm-invest is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise that the personal information you share with us, particularly regarding your financial circumstances and health conditions, is sensitive and deserves robust protection.

This page provides additional information about how we comply with data protection regulations and explains your rights in accessible terms.

Data Controller Information

As the data controller, calm-invest determines how and why your personal data is processed. Our details are:

  • Organisation: calm-invest
  • Address: 47 Whitworth Street, Manchester, M1 5WW
  • Email: [email protected]
  • ICO Registration: We are registered with the Information Commissioner's Office

Lawful Basis for Processing

Under the UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following bases:

Contractual Necessity

When you engage our services, processing your personal data is necessary to fulfil our agreement with you. This includes collecting information about your circumstances to provide benefits advice and support applications.

Legitimate Interests

We may process data based on our legitimate business interests where these do not override your rights. This includes maintaining records, improving services, and protecting against fraud. We conduct balancing tests to ensure our interests do not unfairly impact you.

Legal Obligation

Some processing is required to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Explicit Consent

For special category data such as health information, and for optional activities like marketing communications, we obtain your explicit consent before processing.

Special Category Data

In providing benefits advisory services, we often need to process special category data, particularly health information related to disability benefit claims. We handle this data with additional care:

  • We collect only the health information necessary for your specific benefit claims
  • We obtain explicit consent before collecting health data
  • We restrict access to health information to advisors directly involved in your case
  • We store health data securely with enhanced protection measures
  • We delete health data when no longer needed for your case or legal requirements

Your Individual Rights

The UK GDPR provides you with specific rights regarding your personal data. We are committed to facilitating these rights:

Right to be Informed

You have the right to know how we collect and use your personal data. This is provided through our Privacy Policy and this GDPR information page, as well as specific notices when we collect your data.

Right of Access

You can request a copy of all personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request. Contact us at [email protected] to make a request.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Please notify us of any changes to your information.

Right to Erasure

In certain circumstances, you can request that we delete your personal data. This applies when the data is no longer needed, you withdraw consent, or processing was unlawful. Note that we may need to retain some data for legal or legitimate purposes.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as while we verify accuracy or consider an objection you have raised.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We do not make decisions based solely on automated processing that produce legal effects or significantly affect you. All benefit assessments and advice involve human judgment.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

  • Email: [email protected]
  • Post: Data Protection, calm-invest, 47 Whitworth Street, Manchester, M1 5WW

Please include sufficient information to identify yourself and specify which right you wish to exercise. We may need to verify your identity before processing your request.

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this by a further two months, but we will inform you within the first month.

Data Protection Principles

We adhere to the data protection principles set out in the UK GDPR:

  • Lawfulness, fairness and transparency: We process data lawfully and are transparent about our practices
  • Purpose limitation: We collect data for specified purposes and do not use it incompatibly with those purposes
  • Data minimisation: We collect only the data necessary for our stated purposes
  • Accuracy: We take reasonable steps to ensure data is accurate and up to date
  • Storage limitation: We retain data only for as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures
  • Accountability: We can demonstrate compliance with these principles

International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data outside the UK, we ensure adequate safeguards are in place, such as:

  • Transfers to countries with adequacy decisions
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules where applicable

Data Breach Procedures

In the event of a personal data breach, we have procedures in place to:

  • Detect and investigate breaches promptly
  • Assess the risk to individuals
  • Notify the ICO within 72 hours where required
  • Notify affected individuals if there is a high risk to their rights
  • Document all breaches and our response

Complaints

If you believe we have not handled your personal data properly, please contact us first so we can address your concerns. If you remain dissatisfied, you have the right to complain to the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

Updates

We review our data protection practices regularly and may update this information. We will notify you of significant changes through our website or direct communication where appropriate.