GDPR Compliance

Our Commitment to Data Protection

poppy-engine Limited is committed to ensuring that personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides information about how we fulfil our obligations under these regulations.

Data Controller Information

For the purposes of data protection legislation, poppy-engine Limited is the data controller for personal data we collect and process in connection with our website and services.

Lawful Bases for Processing

We process personal data only where we have a lawful basis to do so. The lawful bases we rely upon include:

Contractual Necessity

We process personal data where necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This includes processing client information to deliver our consultancy services.

Legitimate Interests

We process personal data where necessary for our legitimate business interests, provided these interests do not override your fundamental rights. Our legitimate interests include:

• Responding to enquiries from potential clients
• Improving our services and website
• Maintaining security of our systems
• Marketing our services to business contacts who may be interested

Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Legal Obligation

We may process personal data where necessary to comply with legal obligations to which we are subject, such as anti-money laundering requirements or tax reporting.

Your Data Protection Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of Access

You have the right to request confirmation of whether we process your personal data, and if so, to request access to that data. We will provide a copy of your personal data free of charge, although we may charge a reasonable fee for additional copies or manifestly unfounded or excessive requests.

Right to Rectification

You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete data completed.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other legal basis for processing.

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.

Right to Data Portability

Where we process your personal data based on consent or contractual necessity using automated means, you have the right to receive that data in a structured, commonly used, machine-readable format, and to transmit it to another controller.

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making of this nature.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at [email protected]. We will respond to your request within one month, although this period may be extended by two further months where necessary, taking into account the complexity and number of requests.

We may need to verify your identity before processing your request. We will not charge a fee for responding to legitimate requests, but may charge a reasonable fee for manifestly unfounded or excessive requests.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest where appropriate
• Access controls limiting who can access personal data
• Regular security assessments and updates
• Staff training on data protection and security
• Incident response procedures for potential data breaches

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

International Data Transfers

We primarily store and process personal data within the United Kingdom. Where we transfer personal data to countries outside the UK that do not benefit from an adequacy decision, we implement appropriate safeguards such as standard contractual clauses approved by the Information Commissioner.

Data Protection Impact Assessments

Where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments to identify and minimise data protection risks.

Record Keeping

We maintain records of our processing activities as required under Article 30 of the UK GDPR. These records include the purposes of processing, categories of data subjects and personal data, recipients, international transfers, retention periods, and security measures.

Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office:

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

Updates to This Information

We may update this GDPR compliance information from time to time. Any changes will be posted on this page with an updated revision date.