GDPR Compliance

How silverflick complies with UK GDPR and data protection regulations

Our Commitment to GDPR Compliance

silverflick is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and protect your rights.

Data Controller Information

silverflick acts as the data controller for personal information collected through our services and website.

Contact Details:
silverflick
42 Thornbury Lane
Bristol BS3 4JQ
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis. For different processing activities, we rely on:

Contract (Article 6(1)(b))

Processing necessary to deliver educational services you've contracted for, including programme delivery, scheduling, progress tracking, and communication about your child's participation.

Consent (Article 6(1)(a))

We obtain explicit consent for:

  • Marketing communications
  • Use of testimonials or case studies
  • Photography or video during sessions (where applicable)
  • Processing children's data (parental consent required for under-16s)

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests for:

  • Improving our programmes based on learning outcomes
  • Managing business operations and administration
  • Preventing fraud and maintaining security
  • Responding to enquiries and providing support

We've assessed these interests against individual rights and determined processing is necessary and proportionate.

Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements including:

  • Financial record-keeping and tax obligations
  • Safeguarding duties toward children
  • Health and safety requirements
  • Responding to lawful requests from authorities

Your GDPR Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right of Access (Article 15)

You can request confirmation that we're processing your data and obtain a copy of it. We provide the first copy free of charge within one month.

Right to Rectification (Article 16)

You can request correction of inaccurate data or completion of incomplete data. We'll update records promptly and notify relevant third parties where necessary.

Right to Erasure (Article 17)

Also known as "right to be forgotten," you can request deletion of your data when:

  • It's no longer necessary for the purposes collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing and no overriding legitimate grounds exist
  • Data was unlawfully processed
  • Deletion is required for legal compliance

Note: This right doesn't apply when we must retain data for legal obligations, such as financial records or safeguarding documentation.

Right to Restriction (Article 18)

You can request we limit processing of your data in specific circumstances, such as when you contest accuracy or object to processing.

Right to Data Portability (Article 20)

For data processed by automated means based on consent or contract, you can receive your data in structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We'll cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects. All programme decisions involve human review.

Children's Data Protection

We take extra precautions with children's personal data:

  • Parental consent obtained before processing data of children under 16
  • Age-appropriate explanations provided to children about how their data is used
  • Enhanced security measures for children's data
  • Limited collection of only necessary information
  • Regular reviews of data retention needs

Parents can exercise rights on behalf of their children and review all data we hold about their child at any time.

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security:

Technical Measures

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Regular security updates and patches
  • Firewall and intrusion detection systems
  • Secure backup systems

Organisational Measures

  • Staff training on data protection obligations
  • Clear data handling policies and procedures
  • Regular security audits and risk assessments
  • Confidentiality agreements with staff and contractors
  • Incident response and breach notification procedures

Data Retention

We retain personal data only as long as necessary for the purposes collected and in accordance with legal requirements:

  • Active programme participants: Duration of programme plus six years
  • Financial records: Seven years (legal requirement)
  • Safeguarding records: Until the individual reaches age 25 (minimum)
  • Marketing consents: Until withdrawn or three years of inactivity
  • Website usage data: 26 months maximum

We conduct regular reviews to ensure data is deleted when no longer needed.

Data Breach Procedures

In the unlikely event of a data breach:

  1. We'll assess the risk to individuals' rights and freedoms
  2. If high risk exists, we'll notify the ICO within 72 hours
  3. Affected individuals will be notified without undue delay if the breach is likely to result in high risk to them
  4. We'll document all breaches and our response
  5. We'll take steps to prevent recurrence

Third-Party Data Sharing

When we share data with third-party processors (payment services, email platforms, etc.), we ensure:

  • Written contracts are in place specifying processing terms
  • Processors provide sufficient guarantees of compliance
  • Appropriate security measures are maintained
  • Data is processed only as instructed
  • Sub-processors are subject to same obligations

International Data Transfers

If we transfer data outside the UK, we ensure adequate safeguards through:

  • UK adequacy decisions (where applicable)
  • Standard contractual clauses approved by authorities
  • Binding corporate rules (for group companies)
  • Additional security measures where needed

Exercising Your Rights

To exercise any GDPR rights, contact us at [email protected] with:

  • Your name and contact details
  • Description of your request
  • Proof of identity (to prevent unauthorised disclosure)

We'll respond within one month, or two months for complex requests. We'll explain any delays and your right to complain to the ICO.

Complaints

If you believe we've not complied with GDPR, please contact us first so we can address your concerns.

You also have the right to lodge a complaint with the Information Commissioner's Office:

Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Updates to GDPR Compliance

We regularly review our GDPR compliance procedures and update them as necessary to reflect legal changes, best practices, and feedback from data protection authorities.

Significant changes will be communicated via our website and, where appropriate, direct notification to affected individuals.