GDPR Compliance Statement

Our commitment to protecting your data under UK GDPR

Our GDPR Commitment

novo-plant is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented comprehensive measures to ensure your personal information is processed lawfully, fairly, and transparently.

Data Controller Information

For the purposes of UK GDPR, novo-plant is the data controller responsible for your personal information.

Contact Details:
novo-plant
42 Kingsway Road
Manchester M19 1PL
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so under UK GDPR. The lawful bases we rely on include:

Consent

Where you have given us clear, informed consent to process your personal data for specific purposes. You may withdraw consent at any time by contacting us.

Contract Performance

Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (such as providing benefits assessment services).

Legal Obligation

Processing is necessary for compliance with legal obligations, such as maintaining records required by professional standards bodies.

Legitimate Interests

Processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, or ensuring network security, provided these interests are not overridden by your fundamental rights and freedoms.

Special Category Data

In the course of providing benefits support services, we may process special category data, including:

  • Health information (relevant for disability benefits)
  • Information about social security benefits
  • Financial data

We process special category data only when:

  • You have given explicit consent
  • Processing is necessary for establishing, exercising, or defending legal claims
  • Processing is necessary for reasons of substantial public interest

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to obtain confirmation that we are processing your data, access to your personal data, and information about how we process it.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request without undue delay and within one month of receipt, though this period may be extended by two additional months if necessary, considering the complexity and number of requests.

We may request proof of identity to verify your request and ensure we disclose data only to the correct individual.

Data Protection Principles

We adhere to the UK GDPR data protection principles, ensuring that personal data is:

  • Processed lawfully, fairly, and transparently: We are clear about how we use your data
  • Collected for specified, explicit, and legitimate purposes: We only collect data for defined reasons
  • Adequate, relevant, and limited: We collect only what is necessary
  • Accurate and up to date: We take steps to ensure data accuracy
  • Kept no longer than necessary: We retain data only as long as needed
  • Processed securely: We implement appropriate security measures

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication procedures
  • Staff training on data protection and security
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery plans

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a qualifying breach.

International Data Transfers

We do not routinely transfer personal data outside the United Kingdom. If we do need to transfer data internationally, we will ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the ICO
  • Transfers to countries with adequacy decisions
  • Other legally approved transfer mechanisms

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Active client cases: Duration of service provision
  • Closed cases: Seven years following case closure (professional standards requirement)
  • Marketing contacts: Until consent is withdrawn or the data is no longer relevant
  • Website analytics: Typically 26 months

After the retention period expires, personal data is securely deleted or anonymized.

Third-Party Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they:

  • Process data only according to our documented instructions
  • Implement appropriate security measures
  • Have contractual obligations aligned with UK GDPR requirements
  • Allow us to audit their compliance

Children's Data

Our services are not directed at children under 18. Where we process data of individuals under 18 (for example, in family benefits cases), we ensure parental or guardian consent is obtained where required by law.

Updates to This Statement

We may update this GDPR Compliance Statement periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting an updated version on our website.

Contact and Complaints

If you have questions about our GDPR compliance or wish to exercise your rights, contact us at:

Email: [email protected]
Address: 42 Kingsway Road, Manchester M19 1PL, United Kingdom

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: novo-plant.com