GDPR Compliance and Your Rights

Understanding how we protect your personal data

Our Commitment to Data Protection

Stellar Circuit takes data protection seriously and operates in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. As a financial services firm, we understand that you entrust us with sensitive personal and financial information, and we have implemented comprehensive measures to protect that trust.

This page provides specific information about your rights under GDPR and how we ensure compliance with data protection regulations.

Who We Are

For the purposes of data protection legislation, Stellar Circuit is the data controller responsible for your personal information. This means we determine how and why your personal data is processed.

We are registered with the Information Commissioner's Office, the UK's independent authority upholding information rights. You can verify our registration on the ICO website.

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. The legal grounds we rely upon include:

Performance of a Contract

When you engage our services, processing your personal data is necessary to fulfil our contractual obligations to you. This includes analysing your financial situation, providing recommendations, implementing strategies, and conducting ongoing reviews.

Legal Obligation

Financial services firms are subject to extensive legal and regulatory requirements. We must process certain personal data to comply with anti-money laundering regulations, financial services rules, tax reporting obligations, and record-keeping requirements.

Legitimate Interests

We may process data based on our legitimate business interests, provided these don't override your rights and freedoms. Examples include fraud prevention, network security, and improving our services through anonymised analytics.

Consent

For activities like marketing communications or processing certain types of sensitive data, we obtain your explicit consent. You have the right to withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Your Data Protection Rights

GDPR grants you comprehensive rights over your personal information. We are committed to facilitating the exercise of these rights.

Right of Access

You can request confirmation of whether we process your personal data and, if we do, access to that data along with information about how we use it. This is commonly known as a Subject Access Request. We will provide this information free of charge within one month of receiving your request.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion. We will respond to rectification requests within one month and notify any third parties with whom we've shared the data about the corrections.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances. However, this right is not absolute. As a financial services firm, we have legal obligations to retain certain records for specified periods, which may limit our ability to delete all information immediately.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific situations, such as when you contest the accuracy of the data or object to processing based on legitimate interests. During the restriction period, we may store the data but not actively process it except in limited circumstances.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies to data you've provided to us where processing is based on consent or contract performance and carried out by automated means.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes. For direct marketing, we will stop processing immediately upon receiving your objection. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. We do not currently employ fully automated decision-making in our service delivery, as all financial recommendations involve human professional judgment.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us using the details available on our contact page. When making a request, please provide:

  • Sufficient information to identify yourself (we may request additional verification to protect your data)
  • A clear description of which right you wish to exercise
  • Any specific information or timeframes relevant to your request

We will respond to all requests within one month. In complex cases, this period may be extended by two additional months, but we will inform you of any extension and the reasons for it.

Special Category Data

Certain types of personal information are classified as "special category data" under GDPR due to their sensitive nature. This includes information about health, which we may need to process when assessing protection insurance needs.

We process special category data only when:

  • You have given explicit consent
  • Processing is necessary for insurance purposes and authorised by law
  • Processing is necessary for the establishment, exercise, or defence of legal claims

We apply enhanced protections to special category data and limit access to only those staff members who absolutely require it for their duties.

Data Protection by Design and Default

We embed data protection principles into all our systems, processes, and business practices. This means:

  • Privacy considerations are incorporated from the outset when developing new services or systems
  • We collect only the minimum personal data necessary for each specific purpose
  • Access to personal data is restricted based on necessity and role
  • Default settings prioritise privacy protection
  • Regular reviews ensure our data protection measures remain effective

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Strict access controls and authentication procedures
  • Regular staff training on data protection and security
  • Secure disposal procedures for physical and electronic records
  • Comprehensive incident response and data breach procedures

International Data Transfers

We primarily store and process personal data within the United Kingdom. If we ever need to transfer data outside the UK, we will ensure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other mechanisms approved under GDPR.

We will inform you if international transfers affect your data and ensure you understand the protections in place.

Data Breach Notification

Despite our robust security measures, we recognise that no system is completely immune to security incidents. In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps being taken
  • Offer guidance on measures you can take to protect yourself

Data Protection Impact Assessments

For processing activities that pose high risks to individual rights and freedoms, we conduct Data Protection Impact Assessments. These systematic evaluations help us identify and minimise data protection risks before implementing new systems, technologies, or processes.

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

  • Provide sufficient guarantees of appropriate technical and organisational security measures
  • Process data only according to our documented instructions
  • Maintain confidentiality of personal data
  • Assist us in meeting our GDPR obligations
  • Delete or return personal data at the end of the service relationship

We maintain written contracts with all data processors that specify these obligations and responsibilities.

Accountability and Governance

We maintain comprehensive documentation of our data processing activities, including:

  • Records of processing activities
  • Data protection policies and procedures
  • Privacy notices and consent records
  • Data protection training records
  • Data protection impact assessments
  • Records of data subject requests and responses

This documentation demonstrates our accountability and enables us to prove GDPR compliance to regulators if required.

Children's Data

Our services are designed for adults. We do not knowingly collect or process personal data from individuals under 18 years of age without appropriate parental consent. If you believe we have inadvertently collected information from a minor, please contact us immediately so we can delete it.

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first so we can address the issue directly. We take all complaints seriously and will investigate thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection. Contact details:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

Updates to This Information

We review our GDPR compliance regularly and update this information as necessary to reflect changes in our practices, technology, or legal requirements. Significant changes will be communicated to clients directly, and the updated version will always be available on our website.