GDPR Compliance

Our commitment to protecting your data rights under UK data protection law

Our Commitment to Data Protection

Brilliance Halo Limited is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal information and respecting your data rights.

This page provides specific information about your rights under data protection law and how we fulfill our obligations as a data controller.

Data Controller Information

Brilliance Halo Limited is the data controller responsible for your personal data. Our details are:

Brilliance Halo Limited
42 Threadneedle Street
London EC2R 8AY
United Kingdom
Email: [email protected]
Company Number: 09127845

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. We provide this through our Privacy Policy and this GDPR page.

Right of Access

You have the right to request access to the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide you with:

  • Confirmation that we are processing your personal data
  • A copy of your personal data
  • Additional information about how we process your data

We will respond to your SAR within one month of receipt. This period may be extended by two further months where requests are complex or numerous.

Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed. We will respond to rectification requests within one month and will notify any third parties with whom we have shared the data of the correction.

Right to Erasure

Also known as the 'right to be forgotten', you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations, particularly as a financial services provider subject to regulatory requirements.

Right to Restrict Processing

You can request that we restrict processing of your personal data in specific situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want the data erased
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification of our legitimate grounds

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This applies where:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

Right to Object

You have the right to object to processing of your personal data where:

  • Processing is based on legitimate interests or public interest
  • Processing is for direct marketing purposes
  • Processing is for research or statistical purposes

When you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects. We do not currently use automated decision-making in our services.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

  • Email: [email protected]
  • Post: Data Protection Enquiries, Brilliance Halo Limited, 42 Threadneedle Street, London EC2R 8AY

When submitting a request, please provide:

  • Your full name and contact details
  • Details of your request and the right you wish to exercise
  • Any relevant reference numbers or account information
  • Proof of identity (we need to verify your identity before responding)

Response Timeframes

We will respond to requests to exercise your rights without undue delay and within one month of receipt. This period may be extended by two further months where requests are complex or numerous. We will inform you of any extension within one month of receiving the request, along with reasons for the delay.

Fees

We do not charge a fee for exercising your data protection rights unless:

  • Your request is clearly unfounded or excessive
  • You request further copies of data beyond the first free copy

Where we charge a fee, it will be reasonable and based on administrative costs.

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. The lawful bases we rely on include:

  • Consent: You have given clear consent for us to process your personal data for specific purposes
  • Contract: Processing is necessary for a contract we have with you or to take steps at your request before entering into a contract
  • Legal Obligation: Processing is necessary for us to comply with legal obligations as a financial services provider
  • Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, except where overridden by your rights and interests

Data Minimisation

We adhere to the principle of data minimisation, collecting only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Accuracy and Storage Limitation

We take reasonable steps to ensure personal data is accurate and kept up to date. We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymisation and encryption of personal data
  • Ongoing confidentiality, integrity, availability, and resilience of systems
  • Regular testing and evaluation of security measures
  • Processes for restoring access to data following incidents

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office where required by law.

Third-Party Processors

Where we use third-party processors to handle personal data on our behalf, we ensure:

  • Appropriate contracts are in place
  • Processors provide sufficient guarantees of security
  • Processors only act on our documented instructions
  • Processing is subject to appropriate oversight

International Transfers

If we transfer your personal data outside the United Kingdom, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by the UK authorities
  • Binding corporate rules

Complaints

If you have concerns about how we handle your personal data, please contact us first so we can address your concerns. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

Updates to This Page

We may update this GDPR information from time to time to reflect changes in law or our practices. Please check this page periodically for updates. The date of the last update appears at the top of this page.