GDPR Compliance

How we protect your data rights under UK GDPR

Our Commitment to GDPR

Glimmer Tech Limited is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognize that the information you share with us is highly sensitive and personal, and we've implemented comprehensive measures to protect your privacy rights.

This page provides specific information about our GDPR compliance practices. For broader privacy information, please see our Privacy Policy.

Data Controller Information

Glimmer Tech Limited is the data controller for personal information processed through our services and website.

Data Controller: Glimmer Tech Limited
Registered Address: 45 Queen Square, Bristol, BS1 4LH, United Kingdom
Company Number: 09247816
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis. Depending on the context, we rely on:

Contract Performance

Processing your personal data is necessary to deliver the benefits advice and application support services you've contracted us to provide. Without this information, we cannot fulfill our obligations to you.

Explicit Consent

For special category data (such as health information), we obtain your explicit, informed consent before processing. You may withdraw this consent at any time, though this may affect our ability to continue providing certain services.

Legal Obligation

Some data processing is required to comply with legal obligations, including maintaining records for accounting purposes and cooperating with lawful requests from authorities.

Legitimate Interests

We process certain data based on our legitimate business interests, such as improving service quality and protecting against fraud. We balance these interests against your rights and only process data in ways you would reasonably expect.

Special Category Data

The nature of benefits advice means we regularly process special category personal data, including:

  • Health information and medical conditions
  • Disability and functional limitations
  • Genetic and biometric data (when included in medical reports)
  • Data concerning a person's sex life (where relevant to certain benefits)

We process this sensitive information only with your explicit consent and only to the extent necessary to provide effective benefits advice and support. We apply enhanced security measures to protect special category data and restrict access to authorized personnel who need it for legitimate purposes.

Your GDPR Rights Explained

Right of Access

You can request a copy of all personal data we hold about you. We'll provide this information in a clear, accessible format within one month of your request. There's no charge for reasonable requests.

Right to Rectification

If information we hold is inaccurate or incomplete, you can ask us to correct or complete it. We'll update our records within one month and notify any third parties to whom we've disclosed the data where appropriate.

Right to Erasure

You can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes we collected it
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

This right is not absolute. We may need to retain certain information to comply with legal obligations or for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

You can ask us to restrict how we use your data in situations such as:

  • You contest the accuracy of the data while we verify it
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing while we verify our legitimate grounds

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, machine-readable format. You can also ask us to transmit this data directly to another service provider where possible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We'll cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All decisions about your benefit applications and advice are made by qualified human advisors.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at [email protected] with:

  • A clear description of which right you're exercising
  • Sufficient information to identify you (to protect against unauthorized disclosure)
  • Any specific details about the scope of your request

We'll respond within one month of receiving your request. In complex cases or where we receive multiple requests from you, we may extend this by two additional months, but we'll notify you of any extension and explain the reason.

We don't charge fees for most requests. However, if a request is clearly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse the request.

Data Protection Measures

Technical Safeguards

  • Encryption of data in transit using TLS protocols
  • Encrypted storage of sensitive client files
  • Regular security testing and vulnerability assessments
  • Firewall protection and intrusion detection systems
  • Secure backup procedures with encrypted storage
  • Multi-factor authentication for staff access to systems

Organizational Safeguards

  • Mandatory data protection training for all staff
  • Confidentiality agreements and clear data handling policies
  • Access controls ensuring staff only access data they need
  • Regular audits of data processing activities
  • Incident response procedures for potential data breaches
  • Privacy impact assessments for new processing activities

Physical Safeguards

  • Secure office premises with controlled access
  • Locked filing cabinets for paper documents
  • Clean desk policy to prevent unauthorized viewing
  • Secure disposal of documents through cross-cut shredding

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Inform you directly without undue delay if the breach is likely to result in a high risk to your rights
  • Provide clear information about the nature of the breach and steps we're taking
  • Offer guidance on measures you can take to protect yourself
  • Investigate the cause and implement corrective actions to prevent recurrence

Third-Party Processing

Where we use third-party service providers who process personal data on our behalf (such as cloud storage providers or email services), we ensure:

  • Written contracts are in place specifying data protection obligations
  • Processors only act on our documented instructions
  • Appropriate technical and organizational security measures are implemented
  • Processors assist us in responding to data subject rights requests
  • Processors notify us of any data breaches
  • Data is deleted or returned when services end

We conduct due diligence on all processors to ensure they meet GDPR requirements before engaging their services.

International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognizing equivalent data protection standards
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules for transfers within corporate groups

We will not transfer your data internationally without ensuring it receives protection equivalent to UK GDPR standards.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) before implementing new processing activities that are likely to result in high risks to individuals' privacy. This includes processing large amounts of special category data or using new technologies.

DPIAs help us identify and minimize privacy risks, ensuring we build data protection into our processes from the outset.

Updates to Our GDPR Practices

We regularly review our data protection practices to ensure ongoing compliance with GDPR requirements and to incorporate best practices as they evolve.

Significant changes to how we process personal data will be communicated to affected individuals and reflected in updates to this page and our Privacy Policy.

Supervisory Authority

Our lead supervisory authority is the Information Commissioner's Office (ICO). If you have concerns about our data processing practices that we haven't resolved to your satisfaction, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: www.glimmer-tech.com
Online reporting: glimmer-tech.com/make-a-complaint/

Contact Our Data Protection Team

For any questions about our GDPR compliance or to exercise your data protection rights:

Email: [email protected]
Post: Data Protection, Glimmer Tech Limited, 45 Queen Square, Bristol, BS1 4LH, United Kingdom