GDPR Compliance

Our Commitment to GDPR

mellow-quarter is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

Data Controller Information

For the purposes of GDPR, the data controller is:

mellow-quarter
Riverside Ecology Centre
47 Waterside Lane
Bristol BS1 4RZ
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data under the following lawful bases as defined in Article 6 of GDPR:

• Consent (Article 6(1)(a)): When you have provided explicit consent for specific processing activities, such as receiving marketing communications
• Contract (Article 6(1)(b)): When processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract
• Legal Obligation (Article 6(1)(c)): When we must process your data to comply with legal requirements, such as tax or environmental regulations
• Legitimate Interests (Article 6(1)(f)): When we have legitimate business interests that do not override your fundamental rights and freedoms

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access (Article 15)

You have the right to request access to your personal data and receive information about how we process it. We will provide a copy of your personal data free of charge within one month of your request.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

• Email: [email protected]
• Post: Riverside Ecology Centre, 47 Waterside Lane, Bristol BS1 4RZ, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Data Protection Principles

We process personal data in accordance with GDPR principles, ensuring data is:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept only for as long as necessary
• Processed securely with appropriate technical and organizational measures

Data Security Measures

We implement appropriate technical and organizational security measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and updates
• Staff training on data protection
• Secure backup and disaster recovery procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, in accordance with Article 33 of GDPR.

International Data Transfers

If we transfer your personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Transfers to countries with adequacy decisions
• Other legally recognized transfer mechanisms

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Specific retention periods include:

• Client project data: 7 years after project completion
• Marketing consent data: Until consent is withdrawn
• Website analytics: 26 months
• Inquiry data: 2 years if no contract is entered into

Children's Data

We do not knowingly collect or process personal data from children under 16 years of age. If we become aware that we have inadvertently collected such data, we will delete it promptly.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. In the UK, the supervisory authority is:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated statement on our website.

Contact Us

If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected].