GDPR Compliance

Shady Drift Ltd complies with the General Data Protection Regulation and UK data protection laws. This page explains our obligations and your rights under these regulations.

Last updated: 8 April 2026

Our Commitment to Data Protection

The General Data Protection Regulation establishes strict standards for handling personal information. We've implemented comprehensive policies and procedures to meet these standards and protect your privacy.

Data protection principles guide everything we do with personal information. We process data lawfully, fairly, and transparently. We collect information only for specific, legitimate purposes and don't keep it longer than necessary. We maintain accuracy and implement appropriate security measures.

Controller Information

Shady Drift Ltd acts as the data controller for personal information we collect. This means we determine how and why your data is processed.

Data Controller: Shady Drift Ltd
Registration Number: 08234567
Registered Address: 42 Bellenden Road, Peckham, London SE15 4RF
Contact Email: [email protected]

Lawful Basis for Processing

GDPR requires that we identify a lawful basis before processing personal information. We rely on several grounds depending on the context:

Contract Performance

When you engage our services, we process information necessary to fulfil our contractual obligations. This includes managing projects, coordinating trades, ordering materials, invoicing, and providing warranty support.

Legitimate Interests

We process certain information to support legitimate business interests, provided this doesn't override your rights. Examples include responding to enquiries from prospective clients, improving our services based on feedback, and maintaining records for quality assurance.

Before relying on legitimate interests, we assess whether processing is necessary and proportionate, considering potential impact on individuals.

Legal Compliance

Various laws require us to collect and retain specific information. Building regulations demand project documentation. Tax and accounting laws mandate financial record-keeping. Health and safety regulations require risk assessments and incident records.

Consent

For certain activities, we seek your explicit consent. This applies to marketing communications and some cookie usage. You can withdraw consent at any time, though this won't affect processing that occurred before withdrawal.

Your GDPR Rights

The regulation grants several rights regarding your personal information:

Right to Be Informed

You're entitled to clear information about how we collect and use personal data. Our privacy policy and this page fulfil this obligation.

Right of Access

You can request confirmation of whether we're processing your information and obtain a copy of that data. We provide this free of charge within one month.

Access requests should include sufficient detail to help us locate the relevant information. We may need to verify your identity before responding.

Right to Rectification

If information we hold is inaccurate or incomplete, you can request correction. We'll update our records within one month and notify any third parties with whom we've shared the information.

Right to Erasure

Sometimes called the "right to be forgotten," this allows you to request deletion of personal data. This right applies when:

  • Information is no longer needed for its original purpose
  • You withdraw consent and no other legal basis exists
  • You object to processing and we lack overriding grounds
  • Data has been unlawfully processed
  • Deletion is necessary for legal compliance

This right isn't absolute. We may need to retain information to comply with legal obligations, establish legal claims, or fulfil contractual commitments.

Right to Restriction

You can ask us to limit how we use your information while we resolve questions about accuracy, lawfulness, or necessity. During this period, we'll store data but not actively process it.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can request that we provide your information in a structured, commonly used format. Where technically feasible, we'll transmit this directly to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. For marketing, we'll stop immediately. For other objections, we'll cease unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have protections against decisions based solely on automated processing that significantly affect you. We don't currently use automated decision-making or profiling that would trigger these protections.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] or write to our registered address. Include sufficient information to help us locate relevant data and verify your identity.

We respond to valid requests within one month. Complex requests may require up to two additional months—we'll explain any delay. All responses are provided free of charge unless requests are manifestly unfounded or excessive.

Data Security Measures

GDPR requires appropriate technical and organisational measures to protect personal information. Our security practices include:

Technical Controls

  • Encryption of sensitive data during transmission and storage
  • Regular security updates and patches for all systems
  • Firewall protection and intrusion detection
  • Secure backup procedures with encrypted storage
  • Strong password policies and multi-factor authentication

Organisational Controls

  • Staff training on data protection principles and procedures
  • Confidentiality agreements with employees and contractors
  • Clear policies defining who can access what information
  • Regular reviews of data processing activities
  • Incident response procedures for data breaches

Data Breach Notification

If a data breach occurs that poses risk to individuals' rights and freedoms, we'll notify the Information Commissioner's Office within seventy-two hours of becoming aware. Where the breach presents high risk, we'll also inform affected individuals without undue delay.

Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

International Transfers

We primarily process information within the United Kingdom. If international transfer becomes necessary, we ensure adequate protection through approved mechanisms such as:

  • Standard contractual clauses approved by regulatory authorities
  • Adequacy decisions recognising equivalent protection in destination countries
  • Binding corporate rules for transfers within multinational organisations

Data Protection Impact Assessments

For processing activities that present high risk to individuals, we conduct Data Protection Impact Assessments. These systematic evaluations identify risks and mitigation measures before processing begins.

Working With Processors

When we engage service providers who process personal information on our behalf, we ensure they provide sufficient guarantees of GDPR compliance. Written agreements specify their obligations, including:

  • Processing only according to our documented instructions
  • Maintaining confidentiality
  • Implementing appropriate security measures
  • Assisting with individuals' rights requests
  • Deleting or returning data when services end

Record Keeping

We maintain records of processing activities as required by GDPR. These records document:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients of personal information
  • International transfers and safeguards
  • Retention periods
  • Security measures

Supervisory Authority

The Information Commissioner's Office regulates data protection in the United Kingdom. If you're dissatisfied with how we've handled your information or responded to a request, you can lodge a complaint:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

Updates to Our Practices

We review our data protection practices regularly to ensure ongoing compliance with GDPR requirements. Changes to this information are published on our website with updated effective dates.

Contact Us

For questions about our GDPR compliance, your rights, or our data protection practices, contact us at [email protected].