GDPR Compliance

How we protect your data rights under the General Data Protection Regulation

Our Commitment to GDPR

Mystic Thread Benefits Advice Ltd is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We recognise that you trust us with sensitive personal information, and we take our responsibility to protect that data extremely seriously.

This page outlines how we meet our obligations under GDPR and how you can exercise your rights as a data subject.

Data Controller Details

For the purposes of GDPR, Mystic Thread Benefits Advice Ltd is the data controller. This means we determine how and why your personal data is processed.

Data Controller: Mystic Thread Benefits Advice Ltd
ICO Registration Number: ZB429817
Registered Address: 142 Victoria Street, Bristol, BS1 6DL, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so under GDPR. The lawful bases we rely on include:

Consent

When we process special category data (such as information about your health conditions), we obtain your explicit, informed consent. You have the right to withdraw this consent at any time by contacting us.

Contract

Processing your data is necessary to perform our contract with you to provide advisory services. Without this data, we would be unable to deliver the services you've requested.

Legal Obligation

We must process certain data to comply with legal obligations, such as maintaining financial records for tax purposes or cooperating with legitimate requests from regulatory authorities.

Legitimate Interests

We may process data based on our legitimate business interests, such as improving service quality, maintaining system security, and managing our business operations. We always ensure these interests are balanced against your fundamental rights and freedoms.

Special Category Data

In providing benefits advice, we necessarily process special category data as defined by GDPR, including information about your health, ethnic origin, or other sensitive matters. We handle this data with particular care and only process it when:

  • You have given explicit consent for us to do so
  • Processing is necessary for the establishment, exercise, or defence of legal claims
  • Processing is necessary for reasons of substantial public interest

We implement additional safeguards for special category data, including enhanced security measures and restricted access on a strict need-to-know basis.

Your Rights Under GDPR

GDPR grants you several important rights regarding your personal data. These rights apply whether you're a current client, former client, or simply a website visitor.

Right to Be Informed

You have the right to know how we collect, use, and share your personal data. This information is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request access to the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide you with a copy of your data within one month of receiving your request, free of charge.

Right to Rectification

If you believe any information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will make the necessary changes within one month and notify any third parties with whom we've shared the data.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, or when you withdraw consent. This right is not absolute, and we may need to retain some information to comply with legal obligations.

Right to Restrict Processing

You can ask us to temporarily restrict how we use your data in certain situations, such as when you contest the accuracy of the data or object to processing based on legitimate interests. During this restriction period, we can store the data but not use it.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. This applies when processing is based on consent or contract and is carried out by automated means.

Right to Object

You can object to processing of your data where we're relying on legitimate interests as the lawful basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making and Profiling

We do not engage in automated decision-making or profiling. All decisions regarding your benefits advice are made by qualified human advisors.

How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact us in writing:

By email: [email protected]
By post: 142 Victoria Street, Bristol, BS1 6DL, United Kingdom

When making a request, please include:

  • Your full name and contact details
  • Details of which right you wish to exercise
  • Any relevant information that will help us locate your data
  • Proof of identity (we need to verify your identity before releasing personal data)

We will respond to your request within one month. In complex cases or if we receive multiple requests from you, we may extend this period by a further two months, but we will inform you if this is necessary.

Data Protection Principles

We adhere to the core data protection principles set out in GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We're clear about why we need your data and how we'll use it.

Purpose Limitation

We collect data for specific, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimisation

We only collect data that is adequate, relevant, and limited to what is necessary for the purposes for which it's processed. We don't ask for information we don't need.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. We will correct inaccurate data promptly when we become aware of it.

Storage Limitation

We keep personal data only for as long as necessary for the purposes for which it was collected. Once data is no longer needed, we securely delete or destroy it.

Integrity and Confidentiality

We process data securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We are responsible for demonstrating compliance with these principles. We maintain records of our processing activities and regularly review our data protection practices.

Data Security Measures

We implement robust security measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction:

  • Encryption of data both in transit and at rest
  • Regular security assessments and penetration testing
  • Strict access controls ensuring staff only access data they need for their role
  • Comprehensive staff training on data protection and security
  • Secure physical premises with restricted access
  • Regular backups stored securely offsite
  • Incident response procedures to deal quickly with any breaches

Data Breach Procedures

In the unlikely event of a personal data breach, we have procedures in place to respond quickly and effectively:

  • We will assess the breach to determine its severity and potential impact
  • If the breach poses a risk to your rights and freedoms, we will notify the ICO within 72 hours
  • If the breach poses a high risk to you, we will contact you directly without undue delay
  • We will take immediate steps to contain the breach and prevent further data loss
  • We will document the breach, our response, and any lessons learned to prevent future incidents

Third-Party Processing

When we engage third parties to process data on our behalf (such as IT service providers), we ensure they meet GDPR requirements through:

  • Written contracts that specify their data protection obligations
  • Due diligence checks on their security measures and practices
  • Restrictions preventing them from using your data for their own purposes
  • Requirements to notify us immediately of any data breaches
  • Regular audits to ensure ongoing compliance

International Data Transfers

We store and process your data within the United Kingdom. If we need to transfer data outside the UK or European Economic Area (which is rare), we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by the European Commission
  • Other mechanisms that ensure your data receives equivalent protection

Data Protection Impact Assessments

For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIAs) to identify and minimise data protection risks. This systematic process helps us ensure that privacy is built into our services from the outset.

Children's Data

Our services are designed for adults seeking benefits advice. If we provide advice to someone under 18 (for example, a young person claiming benefits in their own right), we take extra care to ensure they understand how their data will be used. Where appropriate, we may seek parental or guardian consent.

Updates to Our Practices

We regularly review our data protection practices to ensure ongoing compliance with GDPR and to incorporate best practices as they develop. When we make significant changes that affect how we process your data, we will notify you and, where necessary, seek fresh consent.

Making a Complaint

We hope to resolve any concerns you have about our data processing practices directly. However, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: www.mystic-thread.com
Email: [email protected]

The ICO is the UK's independent authority set up to uphold information rights. They can investigate complaints and take action against organisations that breach data protection law.

Further Information

For more detailed information about how we handle your personal data, please see our Privacy Policy. If you have specific questions about GDPR compliance or wish to exercise your data rights, please contact us at [email protected].