GDPR Compliance

Our commitment to data protection under UK GDPR

Overview

lamplight-crossing is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides information about how we comply with these regulations.

Data Controller

For the purposes of UK GDPR, lamplight-crossing is the data controller responsible for your personal information.

Contact details:
lamplight-crossing
47 Candlemaker Row
Edinburgh EH1 2QE
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so. The lawful bases we rely on include:

Consent

You have given clear consent for us to process your personal data for specific purposes, such as receiving marketing communications or enrolling your child in our programs.

Contract

Processing is necessary for a contract we have with you, such as delivering educational services you have purchased.

Legal Obligation

Processing is necessary for us to comply with legal obligations, such as maintaining educational records or financial reporting requirements.

Legitimate Interests

Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided these interests do not override your fundamental rights and freedoms.

Your Rights Under GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right to be Informed

You have the right to be informed about the collection and use of your personal data. This is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request access to your personal data and receive a copy of the personal information we hold about you. This is commonly known as a "subject access request."

Right to Rectification

You have the right to have inaccurate personal data corrected or completed if it is incomplete.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to the processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restrict Processing

You can request that we restrict how we use your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not engage in automated decision-making or profiling.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with:

  • Your full name
  • Contact information
  • Details of your request
  • Proof of identity (for subject access requests)

We will respond to your request within one month, though this may be extended by two additional months for complex requests. We will inform you if an extension is necessary.

Data Protection Principles

We adhere to the following GDPR data protection principles when processing personal data:

Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

Data Minimization

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

Storage Limitation

We keep personal data in a form that permits identification only for as long as necessary for the purposes for which it is processed.

Integrity and Confidentiality

We process personal data securely, protecting against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Accountability

We are responsible for and can demonstrate compliance with GDPR principles.

Children's Data Protection

Given that our services involve children and teenagers, we take extra care in handling their personal information:

  • We obtain parental consent before collecting information about children under 16
  • We collect only the minimum information necessary to deliver our educational services
  • We implement age-appropriate security measures
  • We ensure parents can exercise their children's GDPR rights
  • We provide clear information about how children's data is used

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymization and encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, and availability of processing systems
  • Ability to restore availability and access to personal data in a timely manner
  • Regular testing and evaluation of security measures

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, where feasible
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all data breaches, regardless of whether notification is required

International Data Transfers

We process personal data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the UK authorities
  • Adequacy decisions confirming appropriate data protection standards
  • Binding corporate rules for intra-organizational transfers

Third-Party Processors

Where we use third-party service providers to process personal data on our behalf, we:

  • Only use processors that provide sufficient guarantees of GDPR compliance
  • Enter into data processing agreements establishing responsibilities
  • Conduct due diligence on processor security measures
  • Monitor processor compliance on an ongoing basis

Record Keeping

We maintain records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Data transfers to third countries
  • Retention periods
  • Security measures

Complaints

If you believe we have not complied with GDPR requirements, you can:

  1. Contact us directly at [email protected] to raise your concerns
  2. Lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: lamplight-crossing.com

Updates to This Page

We may update this GDPR compliance information periodically to reflect changes in our practices or legal requirements. Please check this page regularly for updates.

For more detailed information about how we handle your personal data, please refer to our Privacy Policy.