GDPR Compliance

Our commitment to data protection and your rights under UK GDPR.

Last updated: January 2024

Our Commitment to Data Protection

dusk-rails Limited takes data protection seriously. We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This page provides detailed information about how we meet these obligations.

Data Controller Information

dusk-rails Limited acts as a data controller for personal information collected through our website and direct interactions. Our details are:

dusk-rails Limited
Company Number: 08234567
Registered Office: 47 Chancery Lane, London WC2A 1PL
Data Protection Contact: [email protected]

Lawful Bases for Processing

We process personal data under the following lawful bases as defined by UK GDPR:

Consent (Article 6(1)(a))

We rely on consent when you subscribe to our communications or agree to analytics cookies. Consent is always freely given, specific, informed, and unambiguous. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Contract (Article 6(1)(b))

When you engage us for consulting services, we process your data as necessary for the performance of our contract with you or to take steps at your request before entering into a contract.

Legitimate Interests (Article 6(1)(f))

We may process data based on our legitimate interests, provided these do not override your fundamental rights. Our legitimate interests include:

  • Improving and securing our website
  • Understanding how visitors use our services
  • Responding to enquiries and providing requested information
  • Protecting our business from fraud and legal claims

We conduct legitimate interest assessments to ensure our processing is fair and balanced.

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. We are committed to facilitating these rights:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about our processing activities. We will respond to valid access requests within one month.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data. We will make corrections promptly and inform any third parties to whom we have disclosed the data.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose, when you withdraw consent, or when you object to processing and there are no overriding legitimate grounds.

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data while we address a concern you have raised, such as during the period we are verifying the accuracy of your data or considering an objection you have raised.

Right to Data Portability (Article 20)

For data processed based on consent or contract and by automated means, you can request your data in a structured, commonly used, machine-readable format. You can also request that we transmit this data directly to another controller where technically feasible.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing immediately. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in such automated decision-making, but if this changes, we will inform you and provide appropriate safeguards.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within one month, though this period may be extended by two additional months for complex requests, in which case we will inform you of the delay.

There is no fee for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

Data Protection Measures

We implement technical and organisational measures to ensure a level of security appropriate to the risk of our processing activities:

  • Encryption: Personal data is encrypted both in transit (using TLS) and at rest.
  • Access Controls: Staff access to personal data is limited to those who require it for their role, with appropriate authentication measures.
  • Regular Assessments: We conduct regular security assessments and penetration testing of our systems.
  • Staff Training: All staff receive data protection training appropriate to their role.
  • Vendor Management: Third-party processors are vetted and bound by data processing agreements that meet UK GDPR requirements.
  • Incident Response: We maintain procedures to detect, respond to, and report data breaches within required timeframes.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay.

International Data Transfers

Your data is primarily processed within the United Kingdom. When we transfer data outside the UK, we ensure compliance with Chapter V of UK GDPR by implementing appropriate safeguards such as:

  • Transfers to countries with adequacy decisions
  • Standard contractual clauses approved by the Information Commissioner
  • Binding corporate rules where applicable

Data Protection Impact Assessments

For processing activities likely to result in high risk to individuals, we conduct Data Protection Impact Assessments (DPIAs) to identify and minimise data protection risks. This includes new technologies, large-scale processing, and systematic monitoring of public areas.

Records of Processing Activities

We maintain records of our processing activities as required by Article 30 of UK GDPR. These records document the purposes of processing, categories of data subjects and data, recipients, transfers, retention periods, and security measures.

Supervisory Authority

The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the United Kingdom. If you are not satisfied with how we handle your data or respond to your requests, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: dusk-rails.com

We encourage you to contact us first so we can address your concerns directly.

Contact Our Data Protection Team

For any questions about this GDPR compliance information or our data protection practices, please contact:

Data Protection Team
dusk-rails Limited
47 Chancery Lane
London WC2A 1PL
Email: [email protected]