GDPR Compliance

Last updated: January 2024

Our Commitment to GDPR

Spark Shock is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and how you can exercise your rights under these regulations.

Data Controller

Spark Shock is the data controller for personal information collected through our website and services. This means we determine the purposes and means of processing your personal data.

Contact Details:
Spark Shock
47 Commerce Street
Liverpool L2 8RT
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract: Processing necessary to perform a contract with you (e.g., delivering educational services you have booked)
• Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g., marketing communications)
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these do not override your rights (e.g., improving our services)
• Legal Obligation: Processing necessary to comply with the law (e.g., safeguarding requirements)

Your Rights Under GDPR

The UK GDPR provides you with the following rights:

Right to be Informed

You have the right to know how we collect and use your personal data. This information is provided in our Privacy Policy and this GDPR page.

Right of Access

You have the right to request a copy of the personal information we hold about you. This is known as a Subject Access Request (SAR). We will respond to your request within one month.

Right to Rectification

You have the right to have inaccurate personal data corrected or incomplete data completed. Contact us to update your information.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose. This right is not absolute and may be subject to legal retention requirements.

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain circumstances, for example while we verify the accuracy of data you have questioned.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer that data to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or direct marketing. If you object to direct marketing, we will stop processing immediately.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making in our services.

Children's Data

Given the nature of our services, we process personal data relating to children. We take additional precautions with children's data:

• We require parental or guardian consent before collecting any child's personal information
• We collect only the minimum data necessary to deliver our educational services
• We never use children's data for marketing purposes
• We implement enhanced security measures for children's records
• Parents or guardians can request access to, correction of, or deletion of their child's data at any time

Data Retention

We retain personal data only for as long as necessary:

• Enquiry data: Deleted after 12 months if no booking is made
• Participant records: Retained for 7 years after last service (safeguarding requirement)
• Payment records: Retained for 6 years (tax compliance)
• Marketing consent: Reviewed annually and removed if no engagement

International Transfers

We primarily process data within the United Kingdom. If any data is transferred outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office.

Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls limiting who can view personal data
• Regular security assessments
• Staff training on data protection
• Incident response procedures

Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and will inform affected individuals without undue delay.

Exercising Your Rights

To exercise any of your rights under GDPR, please contact us:

• Email: [email protected]
• Post: Spark Shock, 47 Commerce Street, Liverpool L2 8RT

We will respond to your request within one month. If your request is complex, we may extend this by a further two months, but we will inform you of any extension within the first month.

Complaints

If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk