GDPR Compliance

Our commitment to protecting your data rights

Our Commitment to Data Protection

Embervalley Place Limited is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented policies and procedures to ensure your personal information is handled lawfully and transparently.

Data Controller Information

For the purposes of UK data protection legislation, the data controller is:

Embervalley Place Limited
42 Deansgate Avenue
Manchester, M3 2FE
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under UK GDPR. The specific basis depends on the purpose of processing:

Consent

When you sign up for marketing communications or agree to optional data processing, we rely on your explicit consent. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Contract

When you engage our services, processing is necessary to perform our contractual obligations. This includes providing consultations, curating collections, organising events, and sourcing books.

Legitimate Interests

We process data based on legitimate interests when necessary for business operations, including improving our services, preventing fraud, and maintaining security. We balance these interests against your rights and freedoms.

Legal Obligation

We process certain data to comply with legal requirements, such as maintaining financial records for tax purposes.

Your Data Protection Rights

Under UK GDPR, you have specific rights regarding your personal data. We are committed to facilitating the exercise of these rights:

Right of Access

You have the right to obtain confirmation about whether we process your personal data and, if so, to access that data along with specific information about how we use it. We will provide a copy of your data in a commonly used electronic format.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. We will make reasonable efforts to communicate corrections to any third parties to whom we have disclosed the data.

Right to Erasure

In certain circumstances, you can request deletion of your personal data, including when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations or for legitimate business purposes.

Right to Restriction of Processing

You can request that we restrict processing of your personal data in specific situations:

  • When you contest the accuracy of the data, for a period allowing us to verify accuracy
  • When processing is unlawful but you oppose erasure and request restriction instead
  • When we no longer need the data but you need it for legal claims
  • When you have objected to processing, pending verification of whether our legitimate grounds override yours

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format. You have the right to transmit this data to another controller without hindrance from us.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon objection to direct marketing, we will cease processing for such purposes. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

We do not currently use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals. Should this change, we will update our policies and ensure appropriate safeguards are in place.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at:

Email: [email protected]
Post: Data Protection Officer, Embervalley Place Limited, 42 Deansgate Avenue, Manchester, M3 2FE, United Kingdom

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months, in which case we will inform you of the extension and the reasons for delay.

You will not have to pay a fee to access your personal data or exercise any other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with such requests.

Data Security Measures

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls ensuring data is accessible only to authorised personnel
  • Staff training on data protection principles and secure handling practices
  • Incident response procedures for data breaches
  • Regular backups with secure storage

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, where required by law.

Our notification will describe the nature of the breach, likely consequences, and measures taken or proposed to address the breach and mitigate potential adverse effects.

Data Protection Impact Assessments

When planning new projects or changes to existing processing that may pose high risks to data protection rights, we conduct Data Protection Impact Assessments. These assessments help identify and minimise data protection risks.

Third-Party Processors

We ensure that any third-party processors we engage are bound by contractual obligations to implement appropriate security measures and process data only on our instructions. We conduct due diligence before engaging processors and monitor their compliance with data protection requirements.

International Data Transfers

While we primarily store and process data within the United Kingdom, some of our service providers may be located outside the UK. When transferring data internationally, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules for transfers within corporate groups

Record Keeping

We maintain records of our processing activities as required by UK GDPR, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients to whom data may be disclosed
  • International transfers and safeguards
  • Retention periods
  • Security measures

Updates to Compliance Practices

We regularly review and update our data protection practices to ensure ongoing compliance with UK GDPR and other applicable regulations. Significant changes will be communicated through updates to our privacy policy and, where appropriate, direct communication with affected individuals.

Supervisory Authority

The Information Commissioner's Office (ICO) is the UK supervisory authority for data protection. If you have concerns about our data processing practices that we have not adequately addressed, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
embervalley-place.com

Questions and Concerns

If you have questions about our GDPR compliance or data protection practices, please contact our Data Protection Officer at [email protected]. We are committed to addressing your concerns and maintaining transparent data processing practices.