GDPR Compliance

Your rights and our responsibilities under data protection law

Our Commitment to Data Protection

Brilliant Skill Limited operates in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. These regulations establish comprehensive protections for personal data and grant individuals substantial rights over their information.

We view compliance not merely as a legal obligation but as a fundamental aspect of the trust our clients and participants place in us. This page outlines how we fulfil our responsibilities and how you can exercise your rights.

Data Controller Information

For the purposes of data protection legislation, Brilliant Skill Limited acts as the data controller for personal information collected through our business activities. This means we determine how and why your data is processed.

Brilliant Skill Limited
12 Victoria Square
Birmingham B1 1BD
United Kingdom
Company Number: 11234567

Data Protection Contact: [email protected]

Lawful Basis for Data Processing

Data protection law requires that we process personal information only when we have a valid legal basis. The grounds we rely upon include:

Performance of a Contract

When you commission training services from us, processing your data becomes necessary to fulfil our contractual commitments. This includes managing bookings, coordinating programme delivery, providing learning materials, assessing participation, and issuing certificates. Without processing this information, we couldn't deliver the services you've engaged us to provide.

Legitimate Interests

We process certain data to pursue legitimate business interests, provided these interests don't override your fundamental rights and freedoms. Examples include maintaining relationships with past and prospective clients, improving our training programmes based on feedback and outcomes, administering our business operations efficiently, and protecting our legal rights.

Before relying on legitimate interests, we conduct assessments to ensure our processing is necessary, proportionate, and doesn't adversely impact individuals.

Consent

For specific activities such as sending marketing communications or collecting certain types of data, we obtain your explicit consent. When we ask for consent, we clearly explain what we're asking permission for and make it easy for you to decline or withdraw consent later.

Consent must be freely given, specific, informed, and unambiguous. We never make services conditional on consent for processing that isn't necessary for delivering those services.

Legal Obligations

Some data processing is required to comply with legal duties, such as maintaining financial records for tax purposes, responding to lawful requests from authorities, or meeting health and safety requirements.

Your Individual Rights

Data protection legislation grants you extensive rights regarding personal information. These rights empower you to control how your data is used.

Right of Access

You can request confirmation of whether we're processing your personal data and, if so, obtain a copy of that data along with supplementary information about how we use it. This is commonly known as a Subject Access Request.

We'll provide this information free of charge within one month of receiving a valid request, though complex requests may require up to three months with appropriate explanation for the delay.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you can request that we correct it. We'll action such requests promptly and notify any third parties with whom we've shared the data about the correction where appropriate.

Right to Erasure

Sometimes called the "right to be forgotten," this allows you to request deletion of your personal data in specific circumstances. These include situations where data is no longer needed for its original purpose, where you withdraw consent that was the basis for processing, or where processing was unlawful.

This right is not absolute. We may need to retain certain information to comply with legal obligations, establish or defend legal claims, or pursue legitimate interests that override your right to erasure.

Right to Restrict Processing

You can ask us to limit how we use your personal data in certain situations, such as when you've challenged the accuracy of data and we're verifying it, when processing is unlawful but you don't want the data erased, or when you've objected to processing based on legitimate interests whilst we determine whether our grounds override yours.

When processing is restricted, we can store the data but not actively use it without your consent, except for limited purposes like legal claims or protecting others' rights.

Right to Data Portability

Where processing is based on consent or contractual necessity and is carried out by automated means, you can request to receive your personal data in a structured, commonly used, machine-readable format. You may also ask us to transmit this data directly to another organisation where technically feasible.

This right facilitates your ability to move, copy, or transfer personal data easily across different services.

Right to Object

You can object to processing based on legitimate interests or carried out for direct marketing purposes. When you object to marketing, we'll stop such processing immediately. For objections based on legitimate interests, we'll cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We don't currently use automated decision-making processes of this nature, but should this change, we'll ensure appropriate safeguards and notification.

How to Exercise Your Rights

To exercise any of these rights, please contact us in writing via email at [email protected] or by post to the address provided above.

To help us process your request efficiently and securely, please provide:

  • Clear identification of which right you wish to exercise
  • Sufficient information for us to verify your identity
  • Specific details about the data or processing you're concerned about, where relevant
  • Your preferred method for receiving our response

We'll acknowledge receipt of your request and respond substantively within one month. For complex requests, we may extend this to three months and will explain why the extension is necessary.

Data Security Measures

GDPR requires that we implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage.

Our security approach encompasses:

Encryption technologies protect data both when stored on our systems and during transmission across networks. Access controls ensure that only authorised personnel can view personal data, and then only the specific information needed for their role. Regular security assessments identify and address vulnerabilities in our systems and processes.

Staff training ensures everyone who handles personal data understands their responsibilities and follows secure practices. Contractual protections require third-party processors to maintain equivalent security standards.

Incident response procedures enable us to detect, report, and investigate any data breach promptly. Should a breach pose a risk to individuals' rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours and inform affected individuals where required.

International Data Transfers

We primarily store and process personal data within the United Kingdom. If we need to transfer data outside the UK, we'll ensure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other mechanisms approved under data protection law.

We'll inform you if your data will be transferred internationally and explain the protections that apply.

Data Protection Impact Assessments

When planning new processing activities that may result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments. These systematic evaluations help us identify and minimise data protection risks before implementation.

Record Keeping

We maintain comprehensive records of our processing activities as required by GDPR. These records document the categories of data we process, purposes of processing, retention periods, security measures, and information about data sharing arrangements.

This documentation enables us to demonstrate compliance with our data protection obligations and assists individuals who wish to understand how their data is used.

Raising Concerns

If you have concerns about how we handle personal data or wish to make a complaint, please contact us first using the details provided. We take all concerns seriously and will investigate thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

The ICO can investigate your complaint and take enforcement action against organisations that breach data protection law.