GDPR Information

Overview

The UK General Data Protection Regulation provides comprehensive protections for personal data. This page explains your rights under GDPR and how echo-tower ensures compliance with these regulations.

For general information about how we collect and use personal data, please see our Privacy Policy. This page focuses specifically on your GDPR rights and our compliance procedures.

Data Controller Information

For the purposes of data protection legislation, echo-tower is the data controller responsible for your personal information.

Our contact details:
echo-tower
Meadow House
High Street
Chipping Norton
Oxfordshire
OX7 5AD

Email: [email protected]

Your Rights Under GDPR

GDPR grants you several important rights regarding your personal data. We respect these rights and have procedures in place to fulfil your requests.

Right to Access

You have the right to obtain confirmation that we're processing your personal data and to access that data. When you make an access request, we'll provide you with a copy of the personal information we hold about you, along with details about how and why we're using it.

We'll normally provide this information electronically unless you request a different format. There's no charge for making an access request unless your request is clearly unfounded, repetitive, or excessive.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We'll update our records promptly when you notify us of any inaccuracies.

Where we've shared the information with third parties, we'll inform them of the correction where possible.

Right to Erasure

Also known as the right to be forgotten, this allows you to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.

This right isn't absolute. We may need to retain some information to comply with legal obligations, for example keeping financial records for tax purposes. If we cannot delete your data, we'll explain why.

Right to Restrict Processing

You can ask us to restrict how we use your personal data in specific situations, such as when you're challenging the accuracy of the data or you've objected to processing. When processing is restricted, we can store the data but not use it.

Right to Data Portability

Where we process your data based on consent or for contract performance, and the processing is automated, you have the right to receive your personal data in a structured, commonly used, machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests. When you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if we need to process the data for legal claims.

You have an absolute right to object to processing for direct marketing purposes. If you object to marketing, we'll stop immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant impacts. We don't currently use automated decision-making systems for our services.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us by email at [email protected] or write to our address above.

Please include sufficient information to help us locate your records, such as your name, address, and details of your interaction with us. We may need to verify your identity before processing your request to protect your personal data from unauthorised access.

We aim to respond to all valid requests within one month. If your request is particularly complex or we receive multiple requests from you, we may need an additional two months. We'll inform you within the first month if we need this extension.

Lawful Bases for Processing

GDPR requires that we have a lawful basis for processing your personal data. We rely on different bases depending on the nature of the processing:

Contract Performance

When you engage our services, we process personal data necessary to fulfil our contractual obligations to you. This includes contact details, property information, project specifications, and payment details.

Legitimate Interests

We process some data based on legitimate business interests, such as maintaining project records, improving our services, and managing our operations. We've assessed these interests against potential impacts on your privacy rights and only proceed where our interests don't override your rights.

Legal Compliance

Some data processing is necessary to comply with legal obligations, for example retaining financial records for tax purposes or maintaining records required by professional regulations.

Consent

Where we don't have another lawful basis, we'll ask for your consent before processing personal data. You can withdraw consent at any time without affecting the lawfulness of processing conducted before withdrawal.

Data Protection Principles

We adhere to the GDPR data protection principles in all our processing activities:

We process personal data lawfully, fairly, and transparently, explaining what we do with your information.

We collect data only for specified, explicit, and legitimate purposes and don't process it in ways incompatible with those purposes.

We ensure data we hold is adequate, relevant, and limited to what's necessary for the purposes we've told you about.

We take reasonable steps to ensure personal data is accurate and kept up to date.

We don't keep personal data longer than necessary for the purposes for which it was collected.

We implement appropriate security measures to protect personal data from unauthorised access, loss, or destruction.

We can demonstrate our compliance with these principles through our policies, procedures, and documentation.

Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing your personal data.

Our security measures include encrypted data transmission and storage, access controls limiting who can view personal data, regular security assessments and updates, staff training on data protection requirements, and secure disposal procedures for data we no longer need.

While we take data security seriously, no system is completely secure. If we become aware of a data breach that's likely to result in a high risk to your rights and freedoms, we'll notify you without undue delay.

International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by UK authorities or transferring to countries with adequacy decisions recognising equivalent data protection standards.

Data Retention

We retain personal data only as long as necessary for the purposes we collected it or to comply with legal requirements.

Our retention periods vary depending on the type of data and the reason for processing. For example, we typically retain project records for seven years to handle potential queries or legal claims, while enquiry information from non-clients is usually deleted after two years.

When we no longer need personal data, we securely delete or anonymise it so it cannot be linked back to you.

Children's Data

Our services aren't directed at children under sixteen. We don't knowingly process personal data of children. If we become aware we've collected data from a child, we'll delete it promptly.

Changes to Our GDPR Practices

We may update our data protection practices from time to time to reflect operational changes or new legal requirements. Significant changes will be communicated through updates to our Privacy Policy and this page.

Complaints

We take data protection seriously and aim to handle your information responsibly. If you're unhappy with how we've processed your personal data, please contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: echo-tower.com

Contact Us

If you have questions about GDPR compliance or wish to exercise your data protection rights, please contact us: