GDPR Information

Your data protection rights explained

Our Commitment to GDPR Compliance

Serene Ventures fully complies with the UK General Data Protection Regulation and maintains robust procedures to protect your personal information. This page explains your rights and how we fulfil our obligations as a data controller.

Data Controller Details

For the purposes of UK GDPR, the data controller is:

Serene Ventures
42 Colmore Row
Birmingham
B3 2BS
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contractual Necessity

Processing is necessary to perform our contract with you when providing benefits advisory services. This includes preparing claims, submitting appeals, and representing you in proceedings.

Legitimate Interests

We process certain data based on legitimate business interests, such as:

  • Maintaining client records for professional indemnity
  • Improving service quality through feedback analysis
  • Preventing fraud or misuse of services
  • Operating our website and analysing usage patterns

We balance these interests against your rights and only process data when appropriate.

Legal Obligation

Certain processing activities are required by law, including:

  • Retaining financial records for tax purposes
  • Complying with tribunal or court orders
  • Meeting professional regulatory requirements

Explicit Consent

For special category data such as health information, we obtain your explicit consent before processing. You can withdraw this consent at any time by contacting us.

Your GDPR Rights

Right of Access

You can request a copy of the personal data we hold about you. We'll provide this within one month, free of charge. The information will include what data we have, why we process it, who we share it with, and how long we'll retain it.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can ask us to correct it. We'll update our records within one month and notify any third parties we've shared the data with if necessary.

Right to Erasure

You can request deletion of your personal data in certain circumstances:

  • The data is no longer needed for the purpose it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

This right doesn't apply if we need to retain data for legal obligations or to defend legal claims.

Right to Restriction of Processing

You can ask us to limit how we use your data while we:

  • Verify accuracy of data you've contested
  • Determine whether our legitimate interests override your objection to processing
  • Need to retain data for legal claims even though you've requested deletion

Right to Data Portability

For data you've provided based on consent or contract, processed by automated means, you can request a copy in a structured, commonly used format. Where technically feasible, we can transfer this directly to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We'll stop processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

Rights Related to Automated Decision-Making

We don't use automated decision-making or profiling that significantly affects you. All assessments of your benefit eligibility are conducted by qualified human advisors.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: [email protected]
Post: Data Protection Officer, Serene Ventures, 42 Colmore Row, Birmingham, B3 2BS

We may need to verify your identity before processing requests to ensure we're releasing information to the correct person. We'll respond within one month, or inform you if we need additional time for complex requests.

Data Processing Activities

Client Case Management

Purpose: Providing benefits advisory services
Data categories: Contact details, financial information, health data, correspondence
Legal basis: Contract, consent for special category data
Retention: Seven years after case closure

Website Analytics

Purpose: Understanding how visitors use our website
Data categories: IP address, browser type, pages viewed
Legal basis: Legitimate interests
Retention: Two years

Email Communications

Purpose: Responding to enquiries and corresponding with clients
Data categories: Email address, message content
Legal basis: Legitimate interests or contract
Retention: Duration of client relationship plus seven years

International Data Transfers

We store and process all personal data within the United Kingdom. We do not transfer data to countries outside the UK or European Economic Area.

Data Security Measures

We implement appropriate technical and organisational measures including:

  • Encryption of data at rest and in transit
  • Regular security assessments and penetration testing
  • Access controls based on role and necessity
  • Secure disposal procedures for physical and digital media
  • Staff training on data protection responsibilities
  • Incident response procedures for data breaches

Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we'll notify you within 72 hours if the breach poses a high risk to your rights and freedoms. We'll also notify the Information Commissioner's Office as required by law.

Data Protection by Design

We incorporate data protection principles into all new systems and processes. This includes:

  • Minimising data collection to what's necessary
  • Implementing privacy settings by default
  • Conducting privacy impact assessments for new activities
  • Regular reviews of data processing practices

Third-Party Data Processors

We engage selected third parties to process data on our behalf, including IT service providers and document storage facilities. All processors are bound by contracts requiring GDPR compliance and appropriate security measures.

Complaints and Concerns

If you believe we've not handled your data in accordance with GDPR, please contact our Data Protection Officer at [email protected]. We'll investigate and respond promptly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Information

We review our GDPR compliance regularly and update this information as necessary. Significant changes will be communicated to current clients. Last updated: 17 April 2026