GDPR Compliance

Our Commitment to Data Protection

Sassy Gas is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We understand that when you seek financial planning guidance, you're entrusting us with highly personal and sensitive information. Protecting that data isn't just a legal obligation—it's fundamental to our relationship with you.

This page explains your rights under data protection law and how we fulfill our responsibilities as a data controller.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

Sassy Gas
Cathedral Court
42 Church Street
Cardiff CF10 2AT
United Kingdom
Email: [email protected]

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. We respect these rights and have established processes to ensure you can exercise them effectively.

Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. Our Privacy Policy provides comprehensive details about our data practices. We'll always explain what information we need, why we need it, and how we'll use it before collecting data from you.

Right of Access

You can request a copy of all personal data we hold about you. This is commonly called a Subject Access Request (SAR). We'll provide this information free of charge within one month of receiving a valid request.

To make an access request, email us at [email protected] with sufficient detail to allow us to identify you and locate your data. We may ask for identification to verify your identity before disclosing personal information.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Given the nature of financial planning, maintaining accurate records is crucial for providing appropriate advice. If you notice any errors in your information, please alert us immediately so we can update our records.

We'll make corrections within one month and notify any third parties with whom we've shared the data, unless this proves impossible or involves disproportionate effort.

Right to Erasure

In certain circumstances, you can request that we delete your personal data. This right applies when:

• The data is no longer necessary for the purposes we collected it
• You withdraw consent on which processing was based, and we have no other legal ground for processing
• You object to processing and we have no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with a legal obligation

However, this right is not absolute. We may need to retain certain information to comply with regulatory requirements applicable to financial services, or to establish, exercise, or defend legal claims. When you make an erasure request, we'll explain what we can and cannot delete, and why.

Right to Restrict Processing

You can ask us to limit how we use your personal data in these situations:

• You contest the accuracy of the data while we verify it
• Processing is unlawful but you don't want the data erased
• We no longer need the data, but you need it to establish, exercise, or defend legal claims
• You've objected to processing while we verify whether our legitimate grounds override yours

When processing is restricted, we may still store the data but won't use it without your consent, except for legal claims, protecting others' rights, or important public interest reasons.

Right to Data Portability

You have the right to receive personal data you've provided to us in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another organization where technically feasible.

This right applies when processing is based on consent or contract performance and is carried out by automated means. It doesn't apply to paper records or data we've generated through our analysis.

Right to Object

You can object to processing of your personal data where we're relying on legitimate interests as the legal basis. We'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

You have an absolute right to object to processing for direct marketing purposes. If you object to marketing, we'll immediately cease such processing.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We don't use fully automated decision-making processes in our financial planning services. Our advisors review all recommendations and exercise professional judgment based on your individual circumstances.

How to Exercise Your Rights

To exercise any of the rights described above, contact us by email at [email protected] or write to our postal address listed above. Please include:

• Your full name and contact details
• Clear description of which right you're exercising and what you're requesting
• Any information that will help us locate your data
• Proof of identity if you're making an access request

We'll respond within one month, though we may extend this by two additional months if the request is complex or we've received multiple requests. We'll inform you of any extension within one month of receiving your request and explain the reason for the delay.

We won't charge a fee for processing rights requests unless they're manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

Lawful Bases for Processing

We only process personal data when we have a lawful basis under UK GDPR. The bases we typically rely on include:

Contract Performance

Processing your data is necessary to fulfill our contractual obligations when you engage our financial planning services. This includes analyzing your financial situation, developing recommendations, and maintaining records of our advice.

Legitimate Interests

We process certain data based on legitimate interests, such as:

• Maintaining business records and internal administration
• Improving our services and client experience
• Detecting and preventing fraud
• Protecting our legal rights and interests

When relying on legitimate interests, we've carefully balanced our interests against your rights and freedoms to ensure processing is appropriate and proportionate.

Legal Obligations

Financial services are subject to various regulatory requirements that mandate certain record-keeping and reporting. We process data when necessary to comply with these legal obligations.

Consent

For certain processing activities, such as sending marketing communications, we rely on your explicit consent. You can withdraw consent at any time by contacting us or using unsubscribe mechanisms in communications.

Data Protection Principles

We adhere to the core data protection principles set out in UK GDPR:

• Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes
• Data minimization: We only collect data that's adequate, relevant, and necessary
• Accuracy: We take reasonable steps to ensure data is accurate and kept up to date
• Storage limitation: We don't keep data longer than necessary for its purpose
• Integrity and confidentiality: We implement appropriate security measures to protect data
• Accountability: We can demonstrate compliance with these principles

Special Category Data

Financial planning may occasionally involve processing special category (sensitive) personal data, such as health information relevant to insurance planning or information about protected characteristics.

We only process such data when necessary for our services and when we have an appropriate legal basis, typically your explicit consent or when necessary for establishing, exercising, or defending legal claims.

Data Security Measures

We implement technical and organizational measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit and at rest
• Access controls limiting who can view or modify data
• Regular security assessments and updates
• Staff training on data protection responsibilities
• Secure backup and disaster recovery procedures
• Confidentiality agreements with employees and service providers

Data Breach Procedures

Despite our protective measures, if a personal data breach occurs that's likely to result in a risk to your rights and freedoms, we'll notify you without undue delay. We'll also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware of them.

International Transfers

We primarily process and store data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Transferring to countries with adequacy decisions from the UK government
• Using standard contractual clauses approved by authorities
• Implementing binding corporate rules or other approved mechanisms

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first so we can address the issue. If you remain unsatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Information

We may update this GDPR compliance information periodically to reflect changes in our practices or legal requirements. Material changes will be communicated through our website or directly to clients as appropriate.

Questions

If you have questions about your data protection rights, our GDPR compliance, or how we process your personal data, please contact us at [email protected]. We're committed to transparency and will respond to your questions promptly.