GDPR Compliance Statement
Last updated: May 16, 2026
Our Commitment to GDPR
Cozy Glade is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We recognize the importance of protecting personal data and have implemented comprehensive policies and procedures to ensure compliance with all applicable data protection laws.
This statement outlines how we meet our obligations under GDPR and how we protect the rights of individuals whose data we process.
Data Controller Information
Cozy Glade is the data controller responsible for your personal information. Our details are:
Cozy Glade
47 Thornbury Lane
Sheffield S3 8EQ
United Kingdom
Email: [email protected]
ICO Registration Number: ZA123456
Lawful Basis for Processing
We process personal data only when we have a lawful basis to do so. The lawful bases we rely on include:
Contract (Article 6(1)(b))
Processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract. This applies when we provide benefits advisory services you have engaged us for.
Consent (Article 6(1)(a))
You have given clear, affirmative consent for us to process your personal data for specific purposes, such as contacting your medical professionals or subscribing to communications.
Legal Obligation (Article 6(1)(c))
Processing is necessary for compliance with legal obligations to which we are subject, including record-keeping requirements and responding to lawful requests from authorities.
Legitimate Interests (Article 6(1)(f))
Processing is necessary for our legitimate interests or those of a third party, provided those interests do not override your fundamental rights and freedoms. This includes business administration, fraud prevention, and service improvement.
Special Category Data (Article 9)
Benefits advisory work requires processing special category data, including health information. We process this data based on:
- Explicit consent: You provide explicit consent for processing health and other sensitive data
- Legal claims: Processing is necessary for establishing, exercising, or defending legal claims (appeals and tribunals)
Data Protection Principles
We adhere to the six data protection principles set out in Article 5 of GDPR:
1. Lawfulness, Fairness and Transparency
We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about how and why we use your data through our Privacy Policy and other communications.
2. Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes. We do not process data in a manner incompatible with those purposes.
3. Data Minimization
We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed. We do not collect excessive information.
4. Accuracy
We take reasonable steps to ensure personal data is accurate and kept up to date. We provide mechanisms for you to update your information and correct inaccuracies.
5. Storage Limitation
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations. Our retention periods are documented in our Privacy Policy.
6. Integrity and Confidentiality
We implement appropriate technical and organizational measures to ensure the security of personal data, protecting against unauthorized processing, accidental loss, destruction, or damage.
Individual Rights Under GDPR
We respect and facilitate the exercise of your rights under GDPR:
Right to Be Informed (Articles 13-14)
We provide transparent information about our data processing activities through our Privacy Policy and direct communications.
Right of Access (Article 15)
You have the right to obtain confirmation that we are processing your personal data and to access that data. We respond to subject access requests within one month.
Right to Rectification (Article 16)
You can request correction of inaccurate personal data and completion of incomplete data. We update records promptly upon verification.
Right to Erasure (Article 17)
You may request deletion of your personal data in certain circumstances, such as when data is no longer necessary for the purposes collected or when you withdraw consent.
Right to Restriction of Processing (Article 18)
You can request that we restrict processing of your personal data in specific situations, such as while we verify data accuracy or assess whether our legitimate interests override your rights.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
Right to Object (Article 21)
You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making (Article 22)
We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.
How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us:
- Email: [email protected]
- Post: Data Protection Officer, Cozy Glade, 47 Thornbury Lane, Sheffield S3 8EQ
When making a request, please provide:
- Your full name and contact details
- Details of your specific request
- Proof of identity (to prevent unauthorized disclosure)
We will respond to requests within one month. In complex cases, we may extend this by two months and will inform you of the extension and reasons.
Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures
- Encryption of data in transit and at rest
- Secure authentication and access controls
- Regular security testing and vulnerability assessments
- Firewall protection and intrusion detection systems
- Automated backup and disaster recovery procedures
Organizational Measures
- Mandatory data protection training for all staff
- Clear policies and procedures for data handling
- Confidentiality agreements with employees and contractors
- Regular audits of data processing activities
- Incident response and breach notification procedures
Data Breach Procedures
In the event of a personal data breach, we have procedures in place to:
- Detect and contain the breach promptly
- Assess the risk to individuals' rights and freedoms
- Notify the Information Commissioner's Office within 72 hours if required
- Notify affected individuals without undue delay if there is a high risk to their rights
- Document the breach and our response
- Review and improve security measures to prevent recurrence
Data Processing Agreements
When we engage third-party processors to handle personal data on our behalf, we ensure:
- Written contracts are in place with clear data protection obligations
- Processors provide sufficient guarantees of appropriate technical and organizational measures
- Processors only act on our documented instructions
- Processors implement appropriate security measures
- Processors assist with our GDPR compliance obligations
International Data Transfers
We primarily store and process data within the United Kingdom. If we transfer data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions recognizing equivalent data protection standards
- Binding Corporate Rules for intra-group transfers
Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms, particularly when using new technologies or processing special category data at scale.
Record Keeping
We maintain comprehensive records of our processing activities as required by Article 30 of GDPR, including:
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers (if applicable)
- Retention periods
- Security measures
Regular Reviews and Updates
We regularly review and update our data protection practices to ensure ongoing compliance with GDPR and evolving best practices. This includes:
- Annual reviews of data processing activities
- Regular staff training updates
- Monitoring regulatory guidance and case law
- Updating policies and procedures as needed
Supervisory Authority
The supervisory authority responsible for monitoring our compliance with GDPR is the Information Commissioner's Office (ICO). You have the right to lodge a complaint with the ICO if you believe we have not complied with data protection law:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
Contact Us
If you have questions about our GDPR compliance or wish to exercise your rights, please contact our Data Protection Officer:
Email: [email protected]
Post: Data Protection Officer, Cozy Glade, 47 Thornbury Lane, Sheffield S3 8EQ, United Kingdom