GDPR Compliance

Last updated: April 2026

Brilliance Crest is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation and UK data protection laws. This page explains our compliance approach and your rights under GDPR.

Our Commitment to Data Protection

We take data protection seriously and have implemented comprehensive measures to ensure compliance with GDPR principles:

• Lawfulness, fairness, and transparency in all data processing
• Purpose limitation ensuring data is used only for specified purposes
• Data minimization by collecting only what is necessary
• Accuracy through regular review and update procedures
• Storage limitation with defined retention periods
• Integrity and confidentiality through robust security measures
• Accountability with documented policies and procedures

Data Controller Information

Brilliance Crest acts as the data controller for personal information we process. This means we determine the purposes and methods of processing your data.

Controller details:

• Name: Brilliance Crest
• Address: 14 Wellington Place, Leeds, LS1 4AP, United Kingdom
• Email: [email protected]

We have appointed a Data Protection Officer who oversees our compliance efforts and can be contacted at the address above.

Lawful Basis for Processing

We process personal data only when we have a lawful basis under GDPR. For our services, we typically rely on:

• Contractual necessity: Processing is essential to fulfill our service agreement with you
• Legitimate interests: We have valid business reasons for processing, balanced against your rights and freedoms
• Legal obligations: Certain processing is required by UK law or regulation
• Explicit consent: For sensitive data such as health information, we obtain your clear permission

We document the lawful basis for each processing activity and make this information available upon request.

Your Rights Under GDPR

GDPR grants you comprehensive rights regarding your personal data. These rights include:

Right to Be Informed

You have the right to clear information about how we collect and use your data. We provide this through our privacy policy and service agreements.

Right of Access

You can request a copy of all personal data we hold about you. We provide this free of charge within one month. The information includes what data we process, why we process it, who we share it with, and how long we retain it.

Right to Rectification

If any personal information we hold is inaccurate or incomplete, you can request correction. We respond within one month and notify any third parties with whom we shared the incorrect data.

Right to Erasure

Also known as the right to be forgotten, you can request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the original purpose
• You withdraw consent on which processing was based
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed

This right has limitations. We may need to retain information to comply with legal obligations or defend legal claims.

Right to Restrict Processing

You can ask us to limit how we use your data while we investigate concerns you raise about accuracy, lawfulness, or legitimate interests. During restriction, we can store the data but not actively process it without your consent.

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format. This allows you to transfer information between service providers. This right applies to data you provided based on consent or contract.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

You have rights regarding automated decision making and profiling. We do not use automated systems to make decisions that significantly affect you. All case assessments involve human judgment and expertise.

Exercising Your Rights

To exercise any GDPR rights, contact us by email at [email protected] or write to us at 14 Wellington Place, Leeds, LS1 4AP.

When making a request, please provide sufficient information to identify you and specify which right you wish to exercise. We may request additional information to verify your identity before releasing personal data.

We respond to requests within one month, though complex requests may take up to three months. If we extend the deadline, we'll inform you within the first month and explain why additional time is needed.

Most requests are handled free of charge. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive.

Data Security Measures

We implement appropriate technical and organizational measures to protect personal data:

• Encryption of data in transit and at rest
• Secure password policies and multi-factor authentication
• Regular security assessments and penetration testing
• Staff training on data protection and security
• Strict access controls limiting who can view data
• Regular backups with secure storage
• Incident response procedures for potential breaches

Data Breach Procedures

In the unlikely event of a data breach, we have procedures to respond quickly and appropriately:

• We will notify the Information Commissioner's Office within 72 hours if the breach poses a risk to individuals' rights
• We will inform affected individuals without undue delay if the breach poses a high risk to their rights
• We document all breaches and our response, even when notification is not required
• We investigate root causes and implement measures to prevent recurrence

International Data Transfers

We store and process all data within the United Kingdom. We do not transfer personal data outside the UK except in exceptional circumstances with appropriate safeguards and your consent.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments for processing activities that pose high risks to individuals' rights. These assessments identify risks and implement measures to mitigate them.

Privacy by Design

We incorporate data protection principles into all systems and processes from the outset. This includes minimizing data collection, implementing strong security, and ensuring transparency about data use.

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

• Provide sufficient guarantees of GDPR compliance
• Process data only according to our documented instructions
• Maintain appropriate security measures
• Assist with fulfilling data subject rights requests
• Delete or return data when services end

We maintain written contracts with all processors documenting their obligations.

Retention and Deletion

We retain personal data only as long as necessary for the purposes it was collected. Standard retention periods are:

• Active case files: Duration of engagement
• Closed case files: Six years following case closure
• Financial records: Seven years for tax purposes
• Marketing consent records: Until consent is withdrawn

After retention periods expire, we securely delete data using methods that prevent recovery. Physical documents are shredded, and electronic data is overwritten.

Accountability and Governance

We demonstrate accountability through:

• Documented data protection policies and procedures
• Records of processing activities
• Regular staff training on GDPR requirements
• Privacy notices provided at point of data collection
• Regular audits of compliance
• Data protection impact assessments for high-risk processing

Changes to Our Practices

We review our data protection practices regularly to ensure continued compliance with GDPR. When we make significant changes to how we process personal data, we update our documentation and notify affected individuals.

Questions and Concerns

If you have questions about our GDPR compliance or concerns about how we handle your data, contact our Data Protection Officer at [email protected].

Right to Complain

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Information Commissioner's Office:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF