GDPR Compliance

Our Commitment to Data Protection

brightsonar is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018. This document explains how we fulfil our obligations and respect your rights under these regulations.

Data Controller Information

brightsonar acts as the data controller for personal information we collect through our website and workshop programmes.

brightsonar Creative Studios
42 Eastgate
Leeds LS2 7JL
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The specific basis depends on the purpose of processing.

Contractual Necessity

When you book a workshop, we process your personal information to fulfil our contractual obligations. This includes sending confirmations, providing venue details, and delivering the educational services you've purchased.

Consent

We rely on your explicit consent for marketing communications. You provide this consent when joining our mailing list, and you can withdraw it at any time through unsubscribe links in our emails or by contacting us directly.

Legitimate Interests

We process certain data based on legitimate business interests, such as improving our services, preventing fraud, or maintaining network security. We've carefully balanced these interests against your rights and freedoms, ensuring they don't cause unwarranted harm.

Legal Obligations

Some processing is necessary to comply with legal requirements, such as maintaining financial records for tax purposes or cooperating with law enforcement when legally obligated.

Your Rights Under GDPR

The UK GDPR grants you comprehensive rights regarding your personal data. We've designed our systems and processes to make exercising these rights straightforward.

Right to Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. We'll provide this information in a structured, commonly used, machine-readable format within one month of your request.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can ask us to correct it. We'll update our records promptly and notify any third parties with whom we've shared the data, where applicable.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. This right applies when data is no longer necessary for its original purpose, you withdraw consent, you object to processing, or data has been processed unlawfully.

This right is not absolute. We may need to retain certain information to comply with legal obligations or establish legal claims.

Right to Restriction

You can request that we restrict processing of your personal data in specific situations, such as when you contest data accuracy, object to processing, or need us to retain data for legal claims even though we no longer require it.

Right to Data Portability

When processing is based on consent or contract performance and carried out by automated means, you can request that we transfer your data directly to another controller in a structured, commonly used format.

Right to Object

You can object to processing based on legitimate interests or conducted for direct marketing purposes. We'll stop such processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals.

How to Exercise Your Rights

To exercise any of your data protection rights, send an email to [email protected] with your request. Include sufficient information to allow us to verify your identity and understand what you're requesting.

We'll respond within one month, though complex requests may require up to two additional months. We'll inform you if an extension is necessary and explain the reasons.

We don't charge fees for rights requests unless they're manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or refuse the request.

Data Protection Principles

Our data handling practices adhere to the core principles established by UK GDPR.

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. Our privacy documentation clearly explains what we collect, why, and how we use it.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We don't process it in ways incompatible with those purposes.

Data Minimisation

We collect only data that's adequate, relevant, and limited to what's necessary for our stated purposes. We don't gather information just because it might be useful later.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is corrected or deleted without delay.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected, or to comply with legal requirements. When data is no longer needed, we securely delete or anonymise it.

Integrity and Confidentiality

We implement appropriate security measures to protect personal data against unauthorised access, accidental loss, destruction, or damage.

Accountability

We maintain documentation demonstrating our compliance with data protection principles and can show how we've implemented appropriate measures.

Data Security Measures

We've implemented technical and organisational measures appropriate to the risks posed by our processing activities.

These measures include encryption of data in transit and at rest, access controls limiting who can view personal information, regular security assessments, staff training on data protection, and incident response procedures.

We regularly review and update our security practices to address emerging threats and vulnerabilities.

Data Breach Notification

In the event of a personal data breach that poses risks to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours of becoming aware of the breach.

If the breach is likely to result in high risk to you, we'll communicate it to you without undue delay, describing the nature of the breach, its likely consequences, and measures we're taking to address it.

Third-Party Processing

When we engage service providers to process personal data on our behalf, we ensure they provide sufficient guarantees regarding security and confidentiality.

We enter into written contracts with processors that specify their obligations, limit how they can use data, and require them to implement appropriate security measures. We conduct due diligence before engaging processors and monitor their compliance.

International Transfers

We primarily store and process data within the United Kingdom. When we transfer data outside the UK, we ensure appropriate safeguards are in place.

These may include adequacy decisions recognising that a destination country provides adequate protection, standard contractual clauses approved by regulatory authorities, or other legally recognised transfer mechanisms.

Data Protection Impact Assessments

When planning new processing activities that are likely to result in high risk to individuals' rights and freedoms, we conduct data protection impact assessments.

These assessments help us identify and minimise risks, ensuring we've considered privacy implications before implementing new systems or programmes.

Complaints and Supervision

If you have concerns about how we handle your personal data, please contact us at [email protected]. We take complaints seriously and will investigate them thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Document

We may update this GDPR compliance information to reflect changes in our practices or legal requirements. Significant changes will be communicated to active community members via email.

We recommend reviewing this document periodically to stay informed about how we protect your data and respect your rights.