GDPR Compliance

Last updated: 9 April 2026

Our commitment to data protection

Brilliant Cascade Limited is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and respect your rights under these regulations.

Data controller information

For the purposes of data protection legislation, Brilliant Cascade Limited is the data controller responsible for your personal information.

Registered company: Brilliant Cascade Limited
Company number: 07823456
ICO registration: ZA123456
Registered address: 42 Tavistock Street, Covent Garden, London WC2E 7PB
Contact email: [email protected]

Lawful basis for processing

We process personal data only when we have a lawful basis under UK GDPR. The specific legal basis depends on the context:

Contractual necessity

When you or your organisation engage our services, we process personal data necessary to fulfil our contractual obligations. This includes:

  • Delivering training programmes and related services
  • Communicating about programme logistics and content
  • Providing materials and resources to participants
  • Tracking progress and issuing certificates or records

Legitimate interests

We process certain data based on legitimate business interests, provided these don't override your fundamental rights and freedoms. Our legitimate interests include:

  • Responding to enquiries and potential client communications
  • Improving our services through feedback analysis
  • Maintaining client relationships and providing relevant information
  • Protecting our business from fraud or security threats
  • Understanding website usage to enhance user experience

We conduct regular balancing assessments to ensure our interests are proportionate and don't unfairly impact your rights.

Legal obligation

We process data when required to comply with legal obligations, including:

  • Tax and accounting record-keeping requirements
  • Responses to lawful requests from regulators or courts
  • Health and safety reporting where applicable

Consent

For certain processing activities, we rely on your explicit consent, such as:

  • Marketing communications to individuals who aren't existing clients
  • Non-essential cookies and analytics (see our Cookies Policy)
  • Sharing testimonials or case studies that include identifiable information

When we rely on consent, you can withdraw it at any time by contacting us, though this won't affect the lawfulness of processing before withdrawal.

Data protection principles

We adhere to the core principles of UK GDPR in all data processing activities:

Lawfulness, fairness, and transparency

We process data lawfully under appropriate legal bases, treat individuals fairly, and provide clear information about our processing activities through this documentation.

Purpose limitation

We collect personal data for specific, explicit purposes and don't use it in ways incompatible with those purposes without obtaining fresh consent or establishing a new lawful basis.

Data minimisation

We collect only the personal data necessary for our stated purposes. We don't gather information "just in case" it might prove useful later.

Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. We provide mechanisms for you to correct inaccuracies and periodically review data we hold.

Storage limitation

We retain personal data only as long as necessary for the purposes for which it was collected or to meet legal obligations. See our Privacy Policy for specific retention periods.

Integrity and confidentiality

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We maintain documentation demonstrating our compliance with data protection principles and can provide evidence of our compliance measures when required.

Your rights under GDPR

UK GDPR grants you specific rights regarding your personal information. Here's a detailed explanation of each right and how to exercise it:

Right to be informed

You have the right to know how your personal data will be used before or when we collect it. We provide this information through our privacy notices, this GDPR page, and communications when we collect data.

Right of access

You can request confirmation of whether we process your personal data and obtain a copy of that data along with supplementary information about how we use it. This is commonly known as a Subject Access Request (SAR).

How to exercise: Email your request to [email protected] with sufficient information for us to verify your identity and locate your data.

Response time: One month from receipt, extendable by two months for complex requests.

Fee: Free for the first request; we may charge a reasonable fee for manifestly unfounded or excessive requests.

Right to rectification

You can request correction of inaccurate personal data and completion of incomplete data. We'll notify any third parties to whom we've disclosed the data about the correction unless this proves impossible or involves disproportionate effort.

How to exercise: Contact us with details of the inaccuracy and the correct information.

Response time: One month from receipt.

Right to erasure (right to be forgotten)

You can request deletion of your personal data in specific circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent on which processing was based and no other legal ground exists
  • You object to processing and we have no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is necessary to comply with a legal obligation

This right isn't absolute. We may refuse erasure if we need the data to comply with legal obligations, exercise legal claims, or for archiving purposes in the public interest.

How to exercise: Email your request explaining why you believe erasure is appropriate.

Response time: One month from receipt.

Right to restrict processing

You can request that we limit how we use your data (but continue to store it) in these situations:

  • You contest the accuracy of the data whilst we verify it
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you require it for legal claims
  • You've objected to processing whilst we determine whether our legitimate grounds override yours

How to exercise: Contact us specifying the grounds for restriction.

Response time: One month from receipt.

Right to data portability

You can receive personal data you've provided to us in a structured, commonly used, machine-readable format and transmit it to another controller when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

This right doesn't apply to all data we hold, only data you've directly provided.

How to exercise: Request the data you want to port and specify the format if you have a preference.

Response time: One month from receipt.

Right to object

You can object to processing based on legitimate interests or for direct marketing purposes.

Direct marketing: We must stop processing for marketing immediately upon objection.

Legitimate interests: We'll cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing relates to legal claims.

How to exercise: Email us stating your objection and the grounds for it.

Response time: One month from receipt for legitimate interests objections; immediate for direct marketing.

Rights related to automated decision-making and profiling

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not engage in automated decision-making or profiling that would trigger this right.

Data security measures

We implement technical and organisational measures appropriate to the risk level of our processing activities:

Technical measures

  • Encryption of data in transit using TLS protocols
  • Encryption of sensitive data at rest
  • Regular security updates and patch management
  • Firewall and intrusion detection systems
  • Secure authentication and access controls
  • Regular security testing and vulnerability assessments

Organisational measures

  • Staff training on data protection responsibilities
  • Clear policies and procedures for data handling
  • Access restrictions based on need-to-know principles
  • Data protection impact assessments for high-risk processing
  • Incident response procedures
  • Regular compliance audits

Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
  • Document the breach, its effects, and remedial action taken

Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

Third-party processors

When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of GDPR compliance through:

  • Written contracts specifying the subject matter, duration, nature, and purpose of processing
  • Obligations to process data only on our documented instructions
  • Confidentiality commitments from persons authorised to process data
  • Requirements to implement appropriate security measures
  • Assistance obligations for data subject rights requests
  • Data deletion or return requirements upon termination

International data transfers

If we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions from the UK government
  • Standard contractual clauses approved by UK authorities
  • Binding corporate rules for intra-group transfers
  • Certification schemes demonstrating adequate protection

You can request information about specific safeguards applied to transfers of your data by contacting us.

Children's data

Our services target business professionals and organisations. We don't knowingly collect or process personal data of children under 16. If we become aware we've inadvertently collected such data, we'll delete it promptly and notify the ICO if required.

Making a complaint

If you believe we've processed your data in violation of UK GDPR or haven't adequately addressed your concerns, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: brilliant-cascade.com

We encourage you to contact us first so we can attempt to resolve your concerns directly.

Updates to our GDPR compliance

We regularly review and update our data protection practices to maintain compliance with evolving regulations and guidance. Material changes to how we process your data will be communicated through updates to our privacy documentation and, where appropriate, direct notification.

Contact us about GDPR

For questions about GDPR compliance, to exercise your rights, or to raise concerns about how we process your personal data:

Email: [email protected]
Subject line: GDPR Enquiry / Data Subject Rights Request
Post: Brilliant Cascade Limited, 42 Tavistock Street, Covent Garden, London WC2E 7PB

Please provide sufficient information to help us verify your identity and locate your data. We'll respond within the statutory timeframes outlined above.