GDPR Compliance

Our Commitment to Data Protection

bloom-bits is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the protection of personal data seriously, particularly given that our services involve children and families.

Data Controller Information

bloom-bits is the data controller for all personal information collected through our website and services. Our contact details are:

bloom-bits
42 Cathedral Road
Pontcanna, Cardiff CF11 9LL
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by the GDPR:

Consent

Where you have given clear consent for us to process your personal data for a specific purpose. This applies to:

• Marketing communications and newsletters
• Non-essential cookies and analytics
• Photographs of children for promotional use

Contract

Where processing is necessary for the performance of a contract with you. This applies to:

• Processing enrolments and bookings
• Delivering educational programmes
• Communicating about your booking

Legitimate Interests

Where processing is necessary for our legitimate interests and those interests are not overridden by your rights. This applies to:

• Improving our services and website
• Basic security measures
• Responding to enquiries

Legal Obligation

Where processing is necessary to comply with the law. This applies to:

• Financial record keeping
• Safeguarding requirements
• Responding to legal requests

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.

Right to Erasure

Also known as the "right to be forgotten", you can request the deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the basis for processing)
• The data has been unlawfully processed

Right to Restrict Processing

You can request that we limit how we use your data while a complaint is being investigated or where processing is unlawful but you do not want the data erased.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making systems.

Children's Data

As an organisation providing services to children, we take extra care with children's data:

• We only collect children's data with parental consent
• We collect the minimum data necessary to deliver our services
• Children's data is never used for marketing purposes
• We never share children's data with third parties for commercial purposes
• Enhanced security measures protect all children's data

International Data Transfers

We primarily process data within the United Kingdom. If any data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

Data Breach Procedures

In the event of a personal data breach, we will:

• Notify the Information Commissioner's Office within 72 hours where required
• Notify affected individuals if the breach is likely to result in high risk to their rights
• Document all breaches and actions taken
• Review and improve our security measures

Exercising Your Rights

To exercise any of your rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond to all legitimate requests within one month.

Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

However, we would appreciate the chance to address your concerns first, so please contact us in the first instance.

Updates to This Information

We may update this GDPR information from time to time. Any significant changes will be communicated to you via email or a prominent notice on our website.

Last reviewed: January 2024