GDPR Compliance

Your data protection rights and our commitments

Our Commitment to Data Protection

Frosty Pine is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines your rights as a data subject and explains how we fulfill our obligations as a data controller.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

Company Name: Frosty Pine
Address: 42 Woodland Avenue, Birmingham, B15 3QR, United Kingdom
Email: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights concerning your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided through our Privacy Policy and during our initial interactions with you.

Right of Access

You can request access to the personal data we hold about you. This is commonly known as a "Subject Access Request" and allows you to receive a copy of your data and verify that we're processing it lawfully.

How to exercise: Email us at [email protected] with your request. We will respond within one month and provide the information free of charge unless your request is manifestly unfounded or excessive.

Right to Rectification

If you believe any personal data we hold about you is inaccurate or incomplete, you can request that we correct or complete it.

How to exercise: Contact us with details of the information you believe is incorrect, and we will update our records within one month of verification.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, including:

The data is no longer necessary for the purpose it was collected
You withdraw consent for processing that was based on consent
You object to processing and there are no overriding legitimate grounds
The data was processed unlawfully
The data must be erased to comply with a legal obligation

Limitations: This right is not absolute. We may need to retain certain information to comply with legal obligations, such as financial records required by tax authorities for seven years.

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations:

You contest the accuracy of the data (restriction applies while we verify accuracy)
Processing is unlawful, but you don't want the data erased
We no longer need the data, but you need it for legal claims
You've objected to processing (restriction applies while we consider whether our legitimate grounds override yours)

Right to Data Portability

You can request to receive personal data you provided to us in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another controller where technically feasible.

Applicability: This right applies only to data processed based on your consent or for contract performance, and only when processing is carried out by automated means.

Right to Object

You have the right to object to processing of your personal data in certain circumstances:

Processing based on legitimate interests or performance of public interest tasks
Direct marketing (we will stop immediately upon request)
Processing for scientific, historical research, or statistical purposes

Marketing: You can opt out of marketing communications at any time by contacting us or using unsubscribe links in our communications.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

Our Practice: We do not currently use automated decision-making or profiling in our business operations.

How We Process Your Data

Lawful Bases for Processing

We process personal data only when we have a lawful basis to do so:

Consent

For marketing communications and certain cookies, we rely on your explicit consent. You can withdraw consent at any time, and we will stop processing your data for that purpose.

Contract Performance

Processing is necessary to fulfill our contractual obligations when providing renovation and design services, including:

Developing design proposals
Executing renovation projects
Managing payments and billing
Providing after-service support

Legal Obligation

We process certain data to comply with legal requirements, such as:

Maintaining financial records for tax purposes
Retaining building control certificates and compliance documentation
Keeping health and safety records

Legitimate Interests

We process some data based on legitimate business interests, provided these don't override your fundamental rights and freedoms. Examples include:

Fraud prevention and security
Network and information security
Understanding how our services are used to make improvements
Business administration and management

Data Minimisation

We collect and process only the personal data that is necessary for the specific purposes we've identified. We don't collect excessive information or retain data longer than necessary.

Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. We encourage you to inform us of any changes to your information and will update our records promptly.

Storage Limitation

We retain personal data only as long as necessary for the purposes it was collected:

Enquiries that don't proceed: 2 years
Client project records: 7 years after completion
Financial records: 7 years (legal requirement)
Marketing consent: Until withdrawn

Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage:

Encryption of data in transit and at rest
Access controls limiting who can view personal data
Regular security assessments and penetration testing
Staff training on data protection principles and security practices
Secure disposal procedures for physical and electronic data
Incident response procedures for potential data breaches

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
Inform affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
Provide clear information about the nature of the breach and steps being taken to address it

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by relevant authorities
Adequacy decisions confirming the destination provides adequate protection
Other approved transfer mechanisms compliant with UK GDPR

Third-Party Processors

When we engage third parties to process personal data on our behalf (such as cloud storage providers or specialist subcontractors), we:

Select processors who can provide sufficient guarantees of compliance
Establish formal data processing agreements defining their obligations
Ensure they process data only on our documented instructions
Verify they implement appropriate security measures
Monitor their compliance on an ongoing basis

Children's Data

Our services are directed at adults aged 18 and over. We do not knowingly collect or process personal data from children. If we become aware that we've inadvertently collected data from someone under 18, we will delete it promptly unless we have a lawful basis and parental consent to retain it.

Exercising Your Rights

To exercise any of your data protection rights, contact us at:

Email: [email protected]
Post: Frosty Pine, 42 Woodland Avenue, Birmingham, B15 3QR, United Kingdom

Our Response Process

We will acknowledge your request within 48 hours
We may request additional information to verify your identity
We will respond substantively within one month of verification
If your request is complex, we may extend the response time by two months and will explain why
We will provide information and take action free of charge unless requests are manifestly unfounded or excessive

Right to Lodge a Complaint

If you're unhappy with how we've handled your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

We encourage you to contact us first so we have the opportunity to address your concerns directly.

Data Protection Impact Assessments

For processing operations that are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) to identify and minimise risks. This systematic approach helps ensure we're protecting your data appropriately.

Regular Review and Updates

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR requirements. This includes:

Annual reviews of data processing activities
Regular staff training on data protection
Periodic security audits and assessments
Updates to policies and procedures as needed

Contact and Questions

If you have questions about our GDPR compliance, your data protection rights, or how we process your personal data, please contact us: