GDPR Compliance

Our commitment to data protection under UK GDPR

Our Commitment to GDPR

Serein Sponge Limited is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise that protecting personal information is not just a legal obligation but a fundamental aspect of maintaining trust with our clients and contacts.

Data Controller Information

For the purposes of data protection law, Serein Sponge Limited acts as the data controller for personal information we collect and process.

Company Name: Serein Sponge Limited
Registered Address: 42 Kingsway, London, WC2B 6EX, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We process personal information only when we have a valid lawful basis under UK GDPR. Depending on the context, we rely on:

Consent

Where you have given clear, informed consent for us to process your information for specific purposes, such as receiving marketing communications. You can withdraw consent at any time.

Contract

Processing is necessary to fulfil our contractual obligations to clients, including delivering training services, managing bookings, and processing payments.

Legitimate Interests

We process information where necessary for our legitimate business interests, provided these do not override your fundamental rights. Examples include:

  • Maintaining client relationships and providing customer service
  • Improving our services based on feedback and evaluation
  • Protecting our business from fraud and security threats
  • Managing our internal operations efficiently

Legal Obligation

We process information when required to comply with legal obligations, such as tax reporting, financial record-keeping, and responding to lawful requests from authorities.

Data Protection Principles

We adhere to the core principles established by UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. This policy and our Privacy Policy clearly explain what we do with your information.

Purpose Limitation

We collect personal information for specified, explicit purposes and do not use it in ways incompatible with those purposes without informing you.

Data Minimisation

We collect only the personal information that is adequate, relevant, and necessary for our stated purposes. We avoid collecting excessive or unnecessary data.

Accuracy

We take reasonable steps to ensure personal information is accurate and, where necessary, kept up to date. We promptly correct or delete inaccurate information when identified.

Storage Limitation

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Our retention schedules define specific timeframes for different categories of information.

Integrity and Confidentiality

We implement appropriate security measures to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We take responsibility for complying with data protection principles and can demonstrate our compliance through documented policies, procedures, and records.

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal information. We facilitate the exercise of these rights and respond to requests promptly.

Right to Be Informed

You have the right to clear information about what personal data we collect, why we collect it, and how we use it. This policy and our Privacy Policy fulfil this obligation.

Right of Access

You can request a copy of the personal information we hold about you. We provide this free of charge within one month, along with information about how we use it.

Right to Rectification

If your personal information is inaccurate or incomplete, you can ask us to correct it. We will do so within one month and inform any third parties with whom we shared the information.

Right to Erasure

Also known as the "right to be forgotten", you can request deletion of your personal information in certain circumstances, such as:

  • The information is no longer necessary for the purpose it was collected
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The information was unlawfully processed

This right is not absolute. We may need to retain information to comply with legal obligations or establish legal claims.

Right to Restrict Processing

You can ask us to restrict how we use your information in certain situations, such as while we verify its accuracy or assess your objection to processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your information in a structured, commonly used format to transmit to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals. Should this change, we will inform affected individuals and provide means to request human intervention.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with the following information:

  • Your full name and contact details
  • The specific right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity (we may request this to protect your information)

We will respond within one month, though complex requests may require up to three months. We will inform you if additional time is needed and explain why.

Data Security Measures

We implement technical and organisational measures appropriate to the risks presented by processing personal information:

  • Encryption of data in transit using secure protocols
  • Secure storage systems with restricted access controls
  • Regular security assessments and penetration testing
  • Staff training on data protection and security procedures
  • Secure backup systems with encrypted storage
  • Incident response and breach notification procedures
  • Regular review and updating of security measures

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to individuals' rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
  • Document the breach, including facts, effects, and remedial actions taken
  • Take immediate steps to contain and mitigate the breach
  • Review and improve our security measures to prevent recurrence

Third-Party Processing

When we engage third parties to process personal information on our behalf, we ensure:

  • A written contract governs the processing arrangement
  • The processor provides sufficient guarantees of GDPR compliance
  • Processing only occurs according to our documented instructions
  • Appropriate security measures are implemented
  • Sub-processors are only engaged with our prior authorisation
  • The processor assists us in meeting our GDPR obligations

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal information outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to countries with an adequacy decision from the UK government
  • Use of standard contractual clauses approved by the ICO
  • Binding corporate rules for transfers within multinational organisations
  • Other mechanisms recognised under UK data protection law

Children's Data

Our services target business professionals and organisations. We do not knowingly collect or process personal information from individuals under 16. If we become aware of such processing, we will delete the information promptly and securely.

Training Participant Data

When delivering training on behalf of client organisations, we may process personal information about participants. In these situations:

  • The client organisation typically acts as data controller
  • We act as data processor under the client's instructions
  • A data processing agreement governs the arrangement
  • Participants should refer to their employer's privacy notice
  • We retain participant data only as long as necessary to deliver services

Updates to This Statement

We review and update this GDPR compliance statement periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website or directly to affected individuals.

Complaints and Further Information

If you have concerns about how we handle your personal information or believe we are not complying with UK GDPR, please contact us first so we can address the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

Contact Us

For questions about this statement or our data protection practices:

Email: [email protected]
Address: Serein Sponge Limited, 42 Kingsway, London, WC2B 6EX, United Kingdom