GDPR Compliance

Last updated: 15 January 2026

Blue Brook Ltd is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about how we handle personal data in accordance with these regulations and explains your rights as a data subject.

Data Controller

Blue Brook Ltd acts as the data controller for personal information collected through our website and services. Our details are:

Blue Brook Ltd
47 Whitmore Street
Bristol, BS1 3QH
Company Number: 11847293
ICO Registration: ZA789456

Our designated Data Protection Officer can be contacted at [email protected].

Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following bases depending on the nature of processing:

Performance of a Contract (Article 6(1)(b))

When you engage our services, we process your personal data to fulfil our contractual obligations. This includes assessing your benefit eligibility, preparing applications, and communicating with relevant authorities on your behalf.

Consent (Article 6(1)(a))

For certain processing activities, we seek your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. We use consent as our basis for:

  • Sending marketing communications
  • Processing certain categories of sensitive data
  • Sharing information with third parties beyond what is necessary for service delivery

Legal Obligation (Article 6(1)(c))

We process data where necessary to comply with legal requirements, such as:

  • Anti-money laundering regulations
  • Tax and accounting obligations
  • Responding to lawful requests from authorities

Legitimate Interests (Article 6(1)(f))

We may process data based on legitimate business interests where these are not overridden by your rights. Examples include:

  • Improving our services
  • Preventing fraud
  • Ensuring network and information security

Special Category Data

Our services often require processing of special category data, particularly health information relevant to disability benefits. For this data, we rely on:

  • Explicit consent (Article 9(2)(a)): You provide informed consent before we collect and process health-related information
  • Substantial public interest (Article 9(2)(g)): Processing is necessary for reasons of substantial public interest related to social security and social protection, as specified in Schedule 1 of the Data Protection Act 2018

Your Data Subject Rights

UK GDPR grants you comprehensive rights over your personal data. We are committed to facilitating these rights:

Right to Be Informed (Articles 13-14)

You have the right to clear, transparent information about how we use your data. This is provided through our privacy notices at the point of data collection and through this documentation.

Right of Access (Article 15)

You may request a copy of all personal data we hold about you. We will provide this within one month of verifying your identity, free of charge in most circumstances.

Right to Rectification (Article 16)

If any personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We will action valid requests within one month.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances, including where:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and no other legal basis applies
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note that this right does not apply where we need to retain data for legal obligations or legal claims.

Right to Restriction of Processing (Article 18)

You may request that we limit how we use your data while we verify its accuracy, consider your objection to processing, or where processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have rights not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making in this manner.

Exercising Your Rights

To exercise any of your rights, please contact our Data Protection Officer:

Email: [email protected]
Post: Data Protection Officer, Blue Brook Ltd, 47 Whitmore Street, Bristol, BS1 3QH

We will:

  • Verify your identity before processing your request
  • Respond within one month (extendable by two months for complex requests)
  • Provide information free of charge unless requests are manifestly unfounded or excessive
  • Explain if we cannot comply with a request and your right to complain

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) before undertaking processing likely to result in high risk to individuals' rights and freedoms. This includes processing special category data at scale and systematic monitoring of individuals.

Data Breach Procedures

We maintain robust procedures to detect, report, and investigate personal data breaches. Where a breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay. All breaches meeting the reporting threshold are reported to the ICO within 72 hours of becoming aware.

International Data Transfers

We primarily store and process data within the United Kingdom. Any transfer of personal data to countries outside the UK will only occur where:

  • The country has an adequacy decision from the UK government
  • Appropriate safeguards are in place, such as Standard Contractual Clauses
  • A specific derogation applies under UK GDPR

Accountability and Governance

We demonstrate compliance with UK GDPR through:

  • Maintaining comprehensive records of processing activities (Article 30)
  • Implementing data protection by design and default (Article 25)
  • Regular staff training on data protection
  • Periodic reviews of our data processing and security measures
  • Documented policies and procedures
  • Designation of a Data Protection Officer

Complaints

If you believe we have not handled your personal data correctly, please contact our Data Protection Officer in the first instance. We take all complaints seriously and will investigate thoroughly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: blue-brook.com

Updates to This Information

We keep this GDPR information under regular review. Any significant changes will be communicated to you where appropriate. We encourage you to check this page periodically for updates.