GDPR Compliance Statement

Last updated: May 10, 2026

Our Commitment to GDPR

nifty-fastener is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We recognize the importance of protecting personal data and respecting the privacy rights of individuals.

Data Controller

For the purposes of GDPR, nifty-fastener is the data controller responsible for your personal data.

Contact Details:
nifty-fastener
42 Wellington Street
Birmingham, B15 2NT
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The legal grounds we rely on include:

Performance of a Contract

When you engage our services, we process your personal data to fulfill our contractual obligations. This includes assessing benefit eligibility, preparing applications, and representing you in appeals.

Legal Obligation

We are required by law to retain certain records and report specific information to regulatory authorities. This includes maintaining professional standards and complying with financial regulations.

Legitimate Interests

We may process data where necessary for our legitimate business interests, such as:

• Maintaining accurate client records
• Improving our services
• Protecting against fraud
• Network and information security

We balance these interests against your rights and will not process data in ways you would not reasonably expect.

Consent

For certain activities, such as marketing communications, we rely on your explicit consent. You may withdraw consent at any time.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month of your request.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you have the right to have it corrected.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. This right is not absolute and may be limited by legal retention requirements.

Right to Restrict Processing

You can request that we limit how we use your personal data while a dispute about its accuracy or our use of it is resolved.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our service delivery. All assessments are conducted by qualified human advisors.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the subject line "GDPR Request".

Please include:

• Your full name and contact details
• Details of your specific request
• Proof of identity (to protect your data from unauthorized access)

We will respond to your request within one month. If your request is complex or we receive multiple requests, this may be extended by a further two months, and we will inform you of any delay.

Data Processing Activities

Categories of Personal Data

• Identity data: name, date of birth, National Insurance number
• Contact data: address, email, telephone
• Financial data: income, savings, benefit awards, bank details
• Health data: medical conditions, functional limitations
• Special category data: health information, disability status

Purposes of Processing

• Benefit eligibility assessment
• Application preparation and submission
• Appeals and tribunal representation
• Case management and record keeping
• Communication with government agencies
• Service improvement and quality assurance

Recipients of Data

• DWP and HMRC (for claim processing)
• Medical professionals (for evidence gathering)
• Tribunal services (for appeal representation)
• IT service providers (under data processing agreements)

International Transfers

We do not transfer personal data outside the United Kingdom or European Economic Area. All data is stored and processed within the UK on secure servers.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Staff training on data protection
• Incident response procedures
• Regular backups with secure storage

Data Breach Procedures

In the unlikely event of a personal data breach, we will:

• Assess the risk to individuals
• Notify the ICO within 72 hours if required
• Inform affected individuals without undue delay if there is a high risk to their rights
• Document the breach and our response
• Take steps to mitigate harm and prevent recurrence

Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected:

• Active case files: Duration of service relationship
• Closed case files: 6 years after case closure
• Financial records: 6 years as required by law
• Marketing consent: Until withdrawn

Children's Data

Our services are directed at adults. We do not knowingly process data of children under 18 without parental consent, except where necessary for benefit claims on their behalf.

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Significant changes will be communicated to active clients.

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: nifty-fastener.com

Questions

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected]