GDPR Compliance

Your data protection rights explained

Last updated: 15 March 2026

Our Commitment to Data Protection

firm-bracket takes data protection seriously. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how we collect, process, and safeguard your personal information. This page explains our compliance approach and your rights as a data subject.

Data Controller Information

firm-bracket acts as the data controller for personal information we collect from clients and website visitors.

  • Company Name: firm-bracket Ltd
  • Address: 47 Meridian House, Canary Wharf, London E14 5HJ
  • ICO Registration Number: ZB284761
  • Contact Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by Article 6 of UK GDPR:

Contractual Necessity

When you engage our services, we process your information to deliver the benefits advice and application support you have requested. This includes assessing eligibility, preparing applications, and communicating with relevant authorities on your behalf.

Legitimate Interests

We process data where necessary for our legitimate business interests, provided these do not override your fundamental rights. This includes:

  • Maintaining records for quality assurance
  • Improving our services based on anonymised usage patterns
  • Protecting against fraud
  • Ensuring network and information security

Legal Obligations

Certain processing is required to comply with legal requirements, including financial record-keeping, anti-money laundering regulations, and responding to lawful requests from authorities.

Consent

Where no other lawful basis applies, we obtain your explicit consent before processing. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Special Category Data

Benefits advice often requires us to process special category data, particularly health information that affects entitlements to disability benefits. We process such data under Article 9(2)(a) of UK GDPR—explicit consent—which you provide when engaging our services.

We handle health data with particular care:

  • Access is limited to advisors directly working on your case
  • Medical information is stored separately with additional encryption
  • We only share health details with third parties (such as the DWP) with your explicit authorisation

Your Rights Under UK GDPR

Right of Access (Article 15)

You may request a copy of the personal data we hold about you. We will respond within one month, providing the information free of charge in most cases. For manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act.

Right to Rectification (Article 16)

If any personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We will act on rectification requests without undue delay.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and no other legal basis applies
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Note that legal and regulatory obligations may require us to retain certain records even after an erasure request.

Right to Restriction (Article 18)

You may request that we limit how we process your data while we verify accuracy, consider objections, or where processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You may object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)

We do not use fully automated decision-making that produces legal effects concerning you. Benefits eligibility assessments are always reviewed by qualified human advisors.

Exercising Your Rights

To make a data subject request, contact us at:

Email: [email protected]
Post: Data Protection, firm-bracket, 47 Meridian House, Canary Wharf, London E14 5HJ

Please include:

  • Your full name and contact details
  • A clear description of your request
  • Any information that helps us locate your data (e.g., case reference number)

We may need to verify your identity before processing requests to protect your data from unauthorised disclosure.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when introducing new processing activities that may pose high risks to individuals' rights and freedoms. This ensures privacy considerations are embedded in our operations from the outset.

Third-Party Processors

Where we engage third parties to process data on our behalf, we ensure compliance through:

  • Written contracts meeting Article 28 requirements
  • Due diligence on security practices
  • Regular reviews of processor compliance

Processors only act on our documented instructions and are bound by confidentiality obligations.

International Data Transfers

We primarily process data within the United Kingdom. Where data is transferred internationally, we ensure adequate protection through:

  • Transfers to countries with UK adequacy decisions
  • Standard Contractual Clauses approved by the ICO
  • Other appropriate safeguards as recognised under UK GDPR

Data Breach Procedures

We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware
  • Inform affected individuals without undue delay where required
  • Document the breach and remedial actions taken

Complaints

If you believe we have not handled your data appropriately, please contact us first so we can address your concerns. If you remain dissatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Updates to This Information

We review our GDPR compliance documentation regularly and update it to reflect changes in law, our practices, or regulatory guidance. Material changes will be communicated to clients directly.