GDPR Compliance

Our commitment to protecting your data rights under UK GDPR

Our GDPR Commitment

shine-mosaic is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented comprehensive measures to ensure your personal information is processed lawfully, fairly, and transparently.

Data Controller Information

For the purposes of UK GDPR, shine-mosaic is the data controller responsible for your personal information.

Data Controller: shine-mosaic
Address: 42 Clerkenwell Road, London EC1M 5PS, United Kingdom
Contact: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided through our Privacy Policy and this GDPR statement.

2. Right of Access

You have the right to request access to your personal data. This is commonly known as a "subject access request" and allows you to receive a copy of the personal data we hold about you and to verify that we are processing it lawfully.

We will provide this information free of charge within one month of your request, unless your request is complex or you have made multiple requests, in which case we may extend this period by two further months.

3. Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you. We will respond to rectification requests within one month and will inform any third parties with whom we have shared your data about the correction.

4. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

This right is not absolute, and we may need to retain certain information for legal or regulatory reasons.

5. Right to Restrict Processing

You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing. When processing is restricted, we may store the data but not actively use it.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies when:

  • Processing is based on your consent or on a contract
  • Processing is carried out by automated means

7. Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. You also have an absolute right to object to processing for direct marketing purposes at any time.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making or profiling.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us using the following methods:

  • Email: [email protected]
  • Post: shine-mosaic, 42 Clerkenwell Road, London EC1M 5PS, United Kingdom

When making a request, please provide sufficient information to allow us to identify you and verify your identity. We may request additional information to confirm your identity and ensure we are disclosing personal data to the correct person.

Our Data Processing Principles

We adhere to the following data processing principles as required by UK GDPR:

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
  • Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
  • Data Minimization: We collect only the data that is adequate, relevant, and limited to what is necessary
  • Accuracy: We take steps to ensure personal data is accurate and kept up to date
  • Storage Limitation: We retain data only for as long as necessary for the purposes for which it was collected
  • Integrity and Confidentiality: We process data securely, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage
  • Accountability: We are responsible for demonstrating compliance with these principles

Legal Bases for Processing

We process your personal data based on one or more of the following legal bases:

  • Consent: You have given clear, affirmative consent for processing for specific purposes
  • Contract: Processing is necessary to fulfill a contract with you or to take steps at your request before entering a contract
  • Legal Obligation: Processing is necessary to comply with legal or regulatory requirements
  • Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security testing and monitoring
  • Access controls and authentication procedures
  • Staff training on data protection and security
  • Incident response and breach notification procedures
  • Regular review and update of security measures

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly without undue delay.

Third-Party Processing

When we engage third-party service providers who process personal data on our behalf, we ensure:

  • A written contract is in place governing the processing
  • The processor provides sufficient guarantees of appropriate security measures
  • The processor only acts on our documented instructions
  • The processor maintains confidentiality and security of personal data
  • The processor assists us in fulfilling our GDPR obligations

International Data Transfers

We primarily process and store data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognizing equivalent data protection standards
  • Standard contractual clauses approved by regulatory authorities
  • Binding corporate rules for intra-group transfers

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in high risk to individuals' rights and freedoms. These assessments help us identify and minimize data protection risks.

Records of Processing Activities

We maintain comprehensive records of our processing activities as required by UK GDPR, documenting the purposes of processing, data categories, recipients, retention periods, and security measures.

Children's Data

Our services are not directed at children under 18 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

However, we would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first so we can attempt to resolve any issues.

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated statement on our website.

Questions and Contact

If you have questions about our GDPR compliance, data protection practices, or wish to exercise your rights, please contact us:

Email: [email protected]
Post: shine-mosaic, 42 Clerkenwell Road, London EC1M 5PS, United Kingdom