AD
Aplomb Decisions
Legal

GDPR Policy

Last updated: June 2026

1. Overview

Aplomb Decisions Ltd is committed to processing personal data in a fair, lawful, and transparent manner in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This GDPR Policy sets out our commitments as a data controller and explains how we give effect to the data protection principles in our day-to-day operations.

2. Data Protection Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data minimisation: We collect only the personal data that is necessary for the purpose for which it is processed.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
  • Storage limitation: Personal data is kept in a form that permits identification for no longer than is necessary.
  • Integrity and confidentiality: We process personal data in a manner that ensures appropriate security.

3. Lawful Basis for Processing

We rely on one or more of the following lawful bases for processing personal data:

  • Consent (Article 6(1)(a)): The data subject has given consent to the processing of their personal data for specific purposes.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for the purposes of our legitimate interests, except where those interests are overridden by the interests or rights of the data subject.
  • Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation.

4. Data Subject Rights

Under UK GDPR, individuals whose data we process have the following rights:

  • Right of access (Article 15): The right to obtain confirmation of whether personal data is being processed and to receive a copy of that data.
  • Right to rectification (Article 16): The right to have inaccurate personal data corrected.
  • Right to erasure (Article 17): The right to have personal data erased in certain circumstances.
  • Right to restriction of processing (Article 18): The right to request restriction of processing in certain circumstances.
  • Right to data portability (Article 20): The right to receive personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Article 21): The right to object to processing based on legitimate interests.
  • Rights related to automated decision-making (Article 22): The right not to be subject to solely automated decisions that have significant effects.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. We maintain a data retention schedule and conduct periodic reviews to ensure data is deleted or anonymised when no longer required.

6. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or damage. All staff with access to personal data receive appropriate training on data protection responsibilities.

7. Data Breaches

In the event of a personal data breach, we will assess the risk to individuals and, where required, notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will also notify the affected individuals without undue delay.

8. Third-Party Processors

Where we engage third-party data processors, we ensure that appropriate data processing agreements are in place and that processors provide sufficient guarantees regarding their data protection measures.

9. International Transfers

Any transfer of personal data to countries outside the United Kingdom is conducted in accordance with UK GDPR requirements, including the use of appropriate safeguards such as standard contractual clauses or adequacy decisions.

10. Contact and Complaints

For data protection enquiries or to exercise your rights, please contact us at:
Aplomb Decisions Ltd, 17-19 St Georges Street, Norwich, England, NR3 1AB.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113