GDPR Compliance

Our commitment to protecting your personal data under UK GDPR

Our Commitment to Data Protection

prism-nectar is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal data and have implemented comprehensive measures to ensure compliance.

This page provides detailed information about how we meet our obligations under data protection law and explains your rights as a data subject.

Data Controller Information

prism-nectar acts as the data controller for personal information collected through our services. This means we determine how and why your personal data is processed.

Data Controller: prism-nectar Ltd
Registered Address: 47 Clerkenwell Road, London EC1M 5RS
Company Registration: 11847263
ICO Registration: ZA789456
Data Protection Contact: [email protected]

Lawful Bases for Processing

Under UK GDPR, we must have a valid lawful basis to process your personal data. Depending on the specific processing activity, we rely on:

Contractual Necessity

Processing that is necessary to perform our contract with you, including:

  • Preparing and submitting benefit applications
  • Communicating with you about your case
  • Providing advice and guidance
  • Managing appointments and consultations

Legal Obligation

Processing required to comply with our legal obligations:

  • Maintaining financial records for tax purposes
  • Responding to lawful requests from authorities
  • Fulfilling regulatory requirements

Legitimate Interests

Processing based on our legitimate business interests where these do not override your rights:

  • Improving our services based on feedback
  • Maintaining security of our systems
  • Analysing website usage to enhance user experience

Explicit Consent

Where we process special category data (such as health information), we obtain your explicit consent. You may withdraw this consent at any time.

Your Rights Under UK GDPR

UK GDPR provides you with specific rights regarding your personal data. We are committed to facilitating the exercise of these rights.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about how it is processed. We will respond to access requests within one month.

Right to Rectification (Article 16)

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will action rectification requests without undue delay.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose or you withdraw consent.

Right to Restriction (Article 18)

You may request that we restrict processing of your personal data in specific circumstances, such as while we verify the accuracy of contested data.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

We do not make solely automated decisions that produce legal or similarly significant effects. All significant decisions about your case involve human review.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at:

Email: [email protected]

We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will inform you of any extension and the reasons for it.

There is no charge for exercising your rights, although we may charge a reasonable fee for manifestly unfounded or excessive requests.

Special Category Data

Due to the nature of benefits advisory services, we often process special category data including:

  • Health and medical information
  • Information about disabilities
  • Details about mental health conditions

We process this data with your explicit consent and under Article 9(2)(h) of UK GDPR—processing necessary for health or social care purposes. Enhanced security measures apply to all special category data.

Data Protection Principles

We adhere to the seven key principles of UK GDPR in all our data processing activities:

  1. Lawfulness, fairness, and transparency: We process data lawfully, fairly, and openly
  2. Purpose limitation: We collect data only for specified, explicit, and legitimate purposes
  3. Data minimisation: We collect only data that is necessary for our purposes
  4. Accuracy: We keep personal data accurate and up to date
  5. Storage limitation: We retain data only for as long as necessary
  6. Integrity and confidentiality: We protect data using appropriate security measures
  7. Accountability: We take responsibility for compliance and can demonstrate it

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit using TLS protocols
  • Encryption of data at rest for sensitive information
  • Access controls with role-based permissions
  • Regular security audits and vulnerability assessments
  • Staff training on data protection and security
  • Secure disposal procedures for electronic and physical records
  • Incident response procedures for potential data breaches

Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours
  • Inform affected individuals without undue delay when there is high risk
  • Document all breaches, including facts, effects, and remedial action
  • Take immediate steps to contain and address the breach

International Transfers

We do not routinely transfer personal data outside the United Kingdom or European Economic Area. Should such transfer become necessary, we will ensure appropriate safeguards are in place, such as standard contractual clauses approved by the ICO.

Changes to This Information

We may update this GDPR compliance information from time to time. Any significant changes will be communicated to active clients directly.

Complaints

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at [email protected] in the first instance.