GDPR Compliance

Our GDPR Commitment

Phantasic Lair Limited is committed to compliance with the UK General Data Protection Regulation and related data protection legislation. We recognize the importance of protecting personal information and respecting individual privacy rights.

This page outlines how we fulfill our obligations as a data controller and explains your rights as a data subject.

Data Controller Details

Phantasic Lair Limited acts as the data controller for personal information processed through our business activities.

Data Controller: Phantasic Lair Limited
Registered Office: 42 Greenwood Lane, Willow Park, Hampshire SO23 8DN
Company Number: 09234567
Contact: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The legal grounds we rely upon include:

Contractual Necessity

When you engage our services, processing your information becomes necessary to fulfill our contractual obligations. This includes contact details for communication, property information for service delivery, and payment details for billing purposes.

Legitimate Interests

We may process information based on legitimate business interests, provided these interests don't override your fundamental rights. Examples include maintaining client records for continuity of service, preventing fraud, and improving our business operations. We conduct assessments to ensure this processing remains proportionate and appropriate.

Legal Compliance

Certain data processing is required to comply with legal obligations, such as maintaining financial records for tax purposes or cooperating with regulatory authorities.

Consent

For processing activities beyond those covered above, we obtain your explicit consent. You may withdraw consent at any time, though this doesn't affect processing carried out before withdrawal.

Your Data Subject Rights

Under GDPR, you have several enforceable rights regarding your personal data:

Right of Access

You can request confirmation of whether we process your personal data and receive a copy of that data. This includes information about processing purposes, data categories, recipients, and retention periods. We provide one copy free of charge, with reasonable fees for additional copies.

Right to Rectification

You may request correction of inaccurate personal data or completion of incomplete information. We update records promptly upon receiving verified correction requests.

Right to Erasure

Also known as the right to be forgotten, this allows you to request deletion of your personal data in specific circumstances, such as when data is no longer necessary for its original purpose or when you withdraw consent. However, we may retain information where legal obligations require us to do so.

Right to Restriction of Processing

You can request that we limit how we process your data in certain situations, such as while we verify information accuracy or assess whether our legitimate interests override your rights. During restriction, we store the data but don't actively process it except with your consent or for legal claims.

Right to Data Portability

When processing is based on consent or contract and carried out by automated means, you can receive your personal data in a structured, commonly used format. Where technically feasible, we can transmit this data directly to another controller.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. Upon receiving an objection, we cease processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing relates to legal claims.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. Our business does not employ automated decision-making or profiling activities.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] or write to our registered office. Please include sufficient information to identify yourself and specify which right you wish to exercise.

We respond to requests within one month of receipt. For complex or numerous requests, we may extend this period by two months, notifying you of the extension and reasons within the initial month.

We don't charge fees for rights requests unless they are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse the request.

Data Protection Principles

Our processing activities adhere to the core principles established by GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. Our Privacy Policy clearly explains what data we collect and how we use it.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We don't process data in ways incompatible with those purposes without obtaining additional consent.

Data Minimization

We collect only data that is adequate, relevant, and necessary for the purposes for which it's processed. We regularly review what information we collect to ensure we're not holding excessive data.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected. Retention periods are documented and reviewed regularly.

Integrity and Confidentiality

We implement appropriate security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Accountability

We take responsibility for our data processing activities and can demonstrate compliance with GDPR principles through documentation, policies, and procedures.

Data Security Measures

We implement technical and organizational measures appropriate to the risks presented by our processing activities:

Technical measures include encryption of sensitive data, password protection for systems, regular software updates, and secure backup procedures. Organizational measures include staff training on data protection, confidentiality agreements, restricted access to personal data, and documented data handling procedures.

We regularly review and update these measures to address evolving security threats and maintain appropriate protection levels.

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to individual rights and freedoms, we have procedures to:

Detect and contain the breach promptly, assess the severity and potential impact, notify the Information Commissioner's Office within 72 hours where required, and inform affected individuals without undue delay when the breach poses a high risk to their rights and freedoms.

We maintain records of all data breaches, including their effects and remedial actions taken.

International Data Transfers

We primarily process data within the United Kingdom. In rare cases where data must be transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or binding corporate rules.

Third-Party Processors

When we engage third parties to process data on our behalf, we ensure they provide sufficient guarantees regarding security and confidentiality. We maintain written contracts with processors that specify their obligations and our rights regarding data protection.

We remain responsible for ensuring processors comply with GDPR requirements and regularly review processor compliance.

Children's Data

Our services are directed at adults, and we don't knowingly collect personal data from children under 16 without parental consent. If we become aware that we've inadvertently collected such information, we take steps to delete it promptly.

Updates to Our Practices

We periodically review and update our data protection practices to ensure continued GDPR compliance. Material changes are communicated to active clients and reflected in our Privacy Policy.

Supervisory Authority

The Information Commissioner's Office is the UK supervisory authority responsible for enforcing data protection law. You have the right to lodge a complaint with the ICO if you believe our processing violates your rights.

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Contact Us

For questions about our GDPR compliance, to exercise your rights, or to raise concerns about data processing, please contact us:

Email: [email protected]
Post: Phantasic Lair Limited, 42 Greenwood Lane, Willow Park, Hampshire SO23 8DN

We take all data protection inquiries seriously and respond promptly to your concerns.