GDPR Information | goldenfrost-travel

Our Commitment to Data Protection

goldenfrost-travel is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document outlines how we fulfill our obligations as a data controller.

Data Controller Information

Entity Name: goldenfrost-travel
Registered Address: 142 Cromwell Road, Kensington, London SW7 4EF, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases as defined in Article 6 of UK GDPR:

Article 6(1)(b) - Contract Performance

Processing necessary to fulfill our service agreement with you, including:

Assessing benefit eligibility
Providing application guidance and support
Delivering purchased services
Processing payments

Article 6(1)(f) - Legitimate Interests

Processing necessary for our legitimate business interests, including:

Improving service quality and effectiveness
Fraud prevention and security measures
Business administration and record-keeping
Website analytics and optimization

We conduct regular Legitimate Interests Assessments (LIAs) to ensure our interests do not override your fundamental rights and freedoms.

Article 6(1)(c) - Legal Obligation

Processing required to comply with legal obligations, such as:

Financial record retention (7 years under UK tax law)
Responding to lawful requests from authorities
Compliance with anti-money laundering regulations

Article 6(1)(a) - Consent

Processing based on your explicit consent for:

Marketing communications
Non-essential cookies
Coordinating with medical professionals on your behalf

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Special Category Data

Benefits applications often involve special category data under Article 9 UK GDPR, including health information and details about disabilities. We process this data under:

Article 9(2)(h) - Health and Social Care

Processing necessary for health or social care purposes, particularly assessment of eligibility for social welfare benefits.

Article 9(2)(a) - Explicit Consent

Where you provide explicit consent for us to process your health information to support benefit applications.

Special category data receives enhanced security protections and is only accessed by trained staff with legitimate need.

Your Rights Under UK GDPR

Right of Access (Article 15)

You may request confirmation of whether we process your personal data and receive a copy of that data. We respond within one month of receipt, free of charge for initial requests.

Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. We action rectification requests within one month.

Right to Erasure (Article 17)

You may request deletion of your personal data where:

The data is no longer necessary for the original purpose
You withdraw consent and no other legal basis exists
You object to processing and no overriding legitimate grounds exist
Data has been unlawfully processed
Legal obligations require erasure

This right is not absolute. We may retain data where legal obligations require retention (e.g., financial records) or for establishment, exercise, or defense of legal claims.

Right to Restriction (Article 18)

You may request restriction of processing where:

You contest data accuracy (restricted while we verify)
Processing is unlawful but you prefer restriction to erasure
We no longer need the data but you require it for legal claims
You've objected to processing (restricted pending verification)

Right to Data Portability (Article 20)

You may receive personal data you've provided in a structured, commonly used, machine-readable format. This applies to data processed by automated means based on consent or contract.

Right to Object (Article 21)

You may object to processing based on legitimate interests or direct marketing. For direct marketing, we will cease processing immediately. For legitimate interests, we cease unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects. All service decisions involve human review.

Data Protection Principles

We process personal data in accordance with the six principles outlined in Article 5 UK GDPR:

1. Lawfulness, Fairness, and Transparency

We process data lawfully under defined legal bases, fairly without detriment to data subjects, and transparently by clearly communicating our practices.

2. Purpose Limitation

We collect data for specified, explicit, legitimate purposes and do not process it in ways incompatible with those purposes.

3. Data Minimisation

We collect only data adequate, relevant, and limited to what is necessary for the purposes for which it's processed.

4. Accuracy

We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.

5. Storage Limitation

We retain personal data only as long as necessary for the purposes for which it's processed, or as required by legal obligations.

6. Integrity and Confidentiality

We process data securely using appropriate technical and organizational measures to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Data Security Measures

We implement appropriate security measures including:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls limiting data access to authorized personnel
Regular security audits and penetration testing
Staff training on data protection obligations
Incident response procedures for data breaches
Secure data disposal protocols

Data Breach Procedures

In the event of a personal data breach likely to result in risk to rights and freedoms, we will:

Notify the Information Commissioner's Office within 72 hours of becoming aware
Document the breach including facts, effects, and remedial action
Notify affected individuals without undue delay if breach poses high risk
Take immediate steps to mitigate adverse effects

Third-Party Processors

Where we engage third-party data processors, we ensure:

Written contracts meeting Article 28 UK GDPR requirements
Processors only act on documented instructions
Appropriate technical and organizational security measures
Processor obligations regarding sub-processors
Assistance with data subject rights requests
Data deletion or return at end of services

International Data Transfers

Your data is primarily processed within the United Kingdom. Any international transfers comply with UK GDPR Chapter V requirements through:

Adequacy decisions recognizing equivalent protection
Standard contractual clauses approved by the ICO
Binding corporate rules where applicable

Exercising Your Rights

To exercise any of your rights under UK GDPR:

Email your request to [email protected]
Provide sufficient information to identify yourself and specify your request
We will verify your identity before actioning the request
We will respond within one month (extendable by two months for complex requests)
Requests are free of charge unless manifestly unfounded or excessive

Complaints and Supervisory Authority

If you believe we've failed to comply with UK GDPR, you may complain to:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: goldenfrost-travel.com

We encourage you to contact us first so we can address your concerns directly.

Updates to GDPR Compliance

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR. This statement will be updated to reflect material changes in our processing activities or regulatory requirements.

Further Information

For detailed information about how we process your data, see our Privacy Policy.

For questions about GDPR compliance or to exercise your rights, contact [email protected].