GDPR Compliance

Our commitment to protecting your data rights under UK GDPR

Our Commitment to GDPR Compliance

wooden-budget Financial Services Ltd is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal data and respecting your privacy rights.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

wooden-budget Financial Services Ltd
42 Riverside Quarter
Bristol BS1 4RN
United Kingdom
Email: [email protected]

Lawful Basis for Processing Personal Data

We only process your personal data when we have a lawful basis to do so. The legal grounds we rely on include:

Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as receiving marketing communications. You have the right to withdraw your consent at any time by contacting us.

Contractual Necessity

Processing is necessary for us to fulfil our contractual obligations to you when you engage our financial planning services.

Legitimate Interests

We process certain data based on our legitimate business interests, such as improving our services, maintaining security, and communicating with clients about relevant services. We always balance these interests against your rights and freedoms.

Legal Obligation

In some cases, we are required by law to process and retain certain personal information, such as for tax and regulatory compliance.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data. We will provide this information free of charge, although we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We aim to respond to all requests within one month.

Right to Rectification

You have the right to request correction of any personal data you believe is inaccurate or incomplete. We will make the correction promptly once we have verified the accuracy of the new information.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Please note that this right is not absolute, and we may need to retain certain information to comply with legal obligations or establish legal claims.

Right to Restrict Processing

You can request that we limit the way we use your personal data in specific situations:

  • You contest the accuracy of the data while we verify it
  • The processing is unlawful but you prefer restriction over deletion
  • We no longer need the data, but you require it for legal claims
  • You have objected to processing while we verify our legitimate grounds

Right to Data Portability

Where technically feasible, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another organisation where possible.

Right to Object

You have the right to object to:

  • Processing based on legitimate interests or public interest
  • Direct marketing communications at any time
  • Processing for scientific, historical, or statistical purposes in certain circumstances

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making of this nature.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at [email protected] with your request. We may need to verify your identity before fulfilling certain requests to ensure the security of your personal data.

We will respond to all legitimate requests within one month. In complex cases or if we receive multiple requests, we may extend this period by a further two months and will inform you of the extension and the reasons for the delay.

Data Minimisation

We adhere to the principle of data minimisation, collecting only the personal information that is necessary for the specific purposes we have identified. We regularly review the data we hold to ensure we are not retaining information unnecessarily.

Data Security Measures

We implement appropriate technical and organisational security measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls limiting data access to authorised personnel only
  • Staff training on data protection and security best practices
  • Incident response procedures for data breaches
  • Regular backups and disaster recovery planning

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay, providing information about:

  • The nature of the breach
  • The likely consequences
  • The measures we have taken or propose to take to address the breach
  • Contact details for further information

Third-Party Data Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they:

  • Provide sufficient guarantees of their data protection compliance
  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Have contractual obligations aligned with GDPR requirements
  • Notify us of any data breaches affecting your data

International Data Transfers

Your personal data is primarily processed and stored within the United Kingdom. If we need to transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by regulatory authorities
  • Binding corporate rules for transfers within multinational organisations

Children's Data

We do not knowingly collect or process personal data from individuals under 18 years of age. Our services are designed for adults. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

Record Keeping and Accountability

We maintain detailed records of our data processing activities, including:

  • The purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients of personal data
  • International transfers and safeguards
  • Retention periods
  • Security measures implemented

Updates to Our GDPR Practices

We regularly review and update our data protection practices to ensure ongoing compliance with GDPR requirements. Any material changes will be reflected on this page and in our Privacy Policy.

Complaints and Concerns

If you have concerns about how we handle your personal data or wish to make a complaint, please contact us first at [email protected]. We will investigate and respond to all complaints promptly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

Contact Us

For any questions about our GDPR compliance or to exercise your data protection rights, please contact us:

Email: [email protected]
Address: wooden-budget Financial Services Ltd, 42 Riverside Quarter, Bristol BS1 4RN, United Kingdom