GDPR Compliance

Last updated: January 2024

Our Commitment to Data Protection

Positive Vista Ltd is committed to protecting your personal data and respecting your privacy. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and how you can exercise your rights.

Data Controller

Positive Vista Ltd acts as the data controller for personal information collected through our website and in the course of providing our services. This means we determine the purposes and means of processing your personal data.

Contact details:
Positive Vista Ltd
47 Kensington Court
London W8 5DP
Email: [email protected]

Lawful Bases for Processing

We only process personal data when we have a valid legal basis. The bases we rely on include:

Contractual Necessity

When you engage our services, we process your personal data to fulfil our contractual obligations. This includes analysing your pension arrangements, providing recommendations, and implementing agreed strategies.

Legal Obligation

As a regulated financial services firm, we are required to collect and retain certain information to comply with regulatory requirements. This includes anti-money laundering checks and maintaining records for regulatory inspection.

Legitimate Interests

We may process personal data for our legitimate business interests where these do not override your fundamental rights. Examples include improving our services based on client feedback and protecting against fraud.

Consent

Where we rely on consent for processing, you have the right to withdraw that consent at any time. We will inform you when consent is the basis for processing and make it easy to withdraw.

Your Rights Under GDPR

The UK GDPR provides you with specific rights regarding your personal data:

Right to Be Informed

You have the right to know how we collect and use your personal data. This GDPR page and our Privacy Policy provide this information.

Right of Access

You can request a copy of the personal data we hold about you. We will respond within one month of receiving your request. There is no charge for this unless requests are manifestly unfounded or excessive.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We aim to rectify information within one month of your request.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. This right is not absolute and may be limited where we have legal obligations to retain data or where processing is necessary for legal claims.

Right to Restrict Processing

You can request that we limit how we use your personal data while issues are resolved, such as when you contest accuracy or have objected to processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used format for transfer to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use fully automated decision-making in our services.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. Please provide sufficient information for us to verify your identity and locate your data. We will respond within one month, though this may be extended by two months for complex requests.

Data Protection Measures

We implement robust measures to protect your personal data:

  • Encrypted storage and transmission of sensitive data
  • Role-based access controls within our organisation
  • Regular staff training on data protection
  • Documented procedures for handling personal data
  • Due diligence on third-party processors
  • Incident response procedures for potential breaches

Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights, we will notify the Information Commissioner's Office within 72 hours of becoming aware. If the breach is likely to result in high risk to you, we will also notify you directly and provide information about steps you can take.

International Transfers

We primarily process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

Data Processing Agreements

When we engage third parties to process personal data on our behalf, we ensure appropriate contracts are in place that require them to protect your data and process it only as we instruct.

Record Keeping

We maintain records of our processing activities as required by Article 30 of the UK GDPR. These records document what personal data we process, why we process it, and how long we retain it.

Complaints

If you believe we have not handled your personal data properly, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We review our data protection practices regularly and will update this page when necessary. Significant changes will be communicated through our website.