GDPR Compliance

Our commitment to protecting your personal data under UK GDPR

Data Controller Information

driftwood-adventure is the data controller responsible for your personal information. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: driftwood-adventure
Address: 47 Ridgeway Lane, Birmingham B15 3QR, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so:

Consent

When you provide explicit consent for us to process your personal information for specific purposes, such as:

  • Contacting you about our services
  • Obtaining medical evidence from healthcare providers
  • Sending marketing communications (you may withdraw consent at any time)

Contractual Necessity

Processing necessary to fulfill our contract with you, including:

  • Preparing and submitting benefit applications
  • Providing case management services
  • Representing you in appeals

Legal Obligation

Processing required to comply with legal requirements, such as:

  • Maintaining financial records for tax purposes
  • Responding to court orders or regulatory inquiries
  • Preventing fraud and money laundering

Legitimate Interests

Processing necessary for our legitimate business interests, balanced against your rights:

  • Improving our services based on feedback
  • Network and information security
  • Internal administrative purposes

Your GDPR Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your data, provided through this notice and our Privacy Policy.

Right of Access

You can request a copy of the personal data we hold about you. We will provide this within one month of your request, free of charge in most cases.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. We will update our records within one month.

Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may be legally required to retain certain information (e.g., financial records for tax purposes) despite erasure requests.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing pending verification of our legitimate grounds

Right to Data Portability

You can request that we transfer your data to another organization or provide it to you in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We must stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at:

Email: [email protected]
Subject line: "GDPR Request - [Type of Request]"

Please include:

  • Your full name and contact details
  • Description of your request
  • Any relevant reference numbers or dates
  • Proof of identity (to prevent unauthorized disclosure)

We will respond to all legitimate requests within one month. If your request is particularly complex, we may extend this by two additional months and will inform you of the extension.

Data Protection Officer

For matters specifically related to data protection, you may contact our designated Data Protection Officer:

Email: [email protected]

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

  • Encryption: Sensitive data is encrypted both in transit (TLS/SSL) and at rest
  • Access controls: Role-based access ensures only authorized personnel can view your data
  • Regular audits: Periodic security assessments identify and address vulnerabilities
  • Staff training: All employees receive data protection training
  • Incident response: Procedures in place to detect, report, and investigate data breaches

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps being taken

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognizing equivalent data protection standards
  • Standard contractual clauses approved by the UK authorities
  • Binding corporate rules or certification schemes

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

  • Provide sufficient guarantees of compliance with UK GDPR
  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist us in responding to data subject requests
  • Notify us of any data breaches

Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Website: driftwood-adventure.com
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so we can address your concerns directly.

Updates to This Notice

We may update this GDPR compliance notice to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website and, where appropriate, via email.

Last updated: 10 May 2026