GDPR Compliance

Last updated: January 2024

mystic-legacy is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we ensure compliance and your rights under these regulations.

1. Data Controller

mystic-legacy acts as the data controller for personal information collected through our website and services. Our contact details are:

mystic-legacy
47 Division Street
Sheffield, S1 4GE
United Kingdom
Email: [email protected]

2. Principles We Follow

We adhere to the core principles of data protection:

• Lawfulness, Fairness, and Transparency: We process data lawfully and transparently
• Purpose Limitation: Data is collected for specified, explicit purposes only
• Data Minimisation: We collect only necessary data
• Accuracy: We keep data accurate and up to date
• Storage Limitation: Data is kept only as long as necessary
• Integrity and Confidentiality: We ensure appropriate security measures
• Accountability: We can demonstrate compliance with these principles

3. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you. We will respond to your request within one month.

Right to Rectification

You can request that we correct any inaccurate or incomplete personal data.

Right to Erasure

You can request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose.

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or direct marketing.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing. We do not currently use automated decision-making that significantly affects you.

4. How to Exercise Your Rights

To exercise any of your rights, please contact us at [email protected]. We will:

• Verify your identity before processing your request
• Respond to your request within one month
• Extend the response period by two months if necessary, with explanation
• Provide information free of charge in most cases

5. Lawful Basis for Processing

We rely on the following lawful bases for processing personal data:

• Contract: To provide our educational services to you
• Consent: For marketing communications and non-essential cookies
• Legitimate Interests: To improve our services, ensure security, and prevent fraud
• Legal Obligation: To comply with safeguarding requirements and tax regulations

6. International Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the ICO
• Adequacy decisions for the destination country
• Your explicit consent where appropriate

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when implementing new processes or technologies that may pose high risks to individuals' privacy, particularly when processing children's data.

8. Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours
• Notify affected individuals without undue delay if the breach poses high risk
• Document all breaches and our responses

9. Staff Training

All our staff receive regular training on data protection principles and practices, with particular emphasis on protecting children's data given the nature of our services.

10. Complaints

If you are dissatisfied with how we handle your data or respond to your request, you can:

• Contact us directly to resolve the issue
• Lodge a complaint with the Information Commissioner's Office (ICO)

ICO Contact:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: mystic-legacy.com

11. Updates to This Information

We review our GDPR compliance regularly and will update this page to reflect any changes in our practices or the law.