Your data protection rights

• Legal >
• Privacy and cookies >
• GDPR overview >
• Your data protection rights

This page explains, in straightforward terms, the rights you have under UK data protection law when we act as a data controller, and how you can exercise those rights with us.

It should be read alongside our Privacy and cookies policy, which sets out what data we collect, why we collect it and who to contact.

Who this applies to

These rights apply when Cultrix is the data controller - for example, for:

• our own website and marketing activity
• our internal records about customers and suppliers
• support and ticket information that we hold in our own systems

When we act as a data processor on behalf of a customer (for example, managing their Microsoft 365 tenant), we will usually direct you to contact that organisation directly, as they control how your data is used in that context.

Your main rights

Under UK GDPR, you have a number of rights in relation to your personal data. The main ones are:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision-making and profiling

The sections below explain each of these in plain English and how they apply in our context.

Right to be informed

You have the right to know how we collect and use your personal data. We meet this right mainly through our Privacy and cookies policy and the other GDPR pages in this section.

If anything in those pages isn’t clear, you can always contact us and ask us to explain it in a different way.

Right of access

You have the right to ask us for a copy of the personal data we hold about you, along with certain information about how we use it. This is sometimes called a “subject access request”.

We will:

• acknowledge your request
• ask for any information we reasonably need to find the data
• verify your identity where necessary
• provide a response within the timescales set by law, usually within one month

In some cases, for example where a request is very complex or repeated, we may extend the response time or charge a reasonable fee. If that happens, we will explain why.

Right to rectification

If you believe that personal data we hold about you is inaccurate or incomplete, you can ask us to correct it.

We will:

• review the information you have provided
• update our records where we agree they need correcting
• record the changes we’ve made

In some cases we may need to keep a record of the fact that a previous value existed (for example for audit or compliance reasons), but we will not continue to use clearly inaccurate information going forward.

Right to erasure

You have the right to ask us to delete your personal data in certain circumstances, for example where:

• we no longer need the data for the original purpose
• you withdraw consent (where consent was the lawful basis)
• you successfully object to our use of the data
• we have processed the data unlawfully

This right is not absolute. For example, we may need to keep some data for legal, regulatory or contractual reasons, such as financial records.

Where we cannot delete data you have asked us to delete, we will explain why and, where possible, limit how it is used.

Right to restrict processing

In some situations you can ask us to “pause” our use of your data without deleting it. For example, if:

• you contest the accuracy of the data and we are checking it
• the processing is unlawful but you prefer restriction to deletion
• we no longer need the data but you need it to establish, exercise or defend a legal claim
• you have objected to processing and we are considering that objection

During restriction we will store the data but not use it in ways that you have asked us to avoid, unless we have a strong legal reason to do so.

Right to data portability

Where our processing is based on your consent or on a contract, and carried out by automated means, you may have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format and to ask us to transfer it to another controller.

In practice, this right is more relevant to certain types of consumer services than to most of what we do, but if you think it applies we will consider your request and explain what we can do.

Right to object

You have the right to object to our processing of your personal data where we rely on legitimate interests as the lawful basis, and to direct marketing.

If you object to direct marketing, we will stop that marketing. If you object to processing based on legitimate interests, we will consider your request and either:

• stop the processing; or
• explain why we believe we have compelling legitimate grounds to continue.

Automated decision-making and profiling

We do not carry out automated decision-making or profiling that has a legal or similarly significant effect on individuals. If this changes in future, we will update our privacy information and explain your rights in that context.

How to exercise your rights

To exercise any of these rights, please use the contact details set out in our Privacy and cookies policy. To help us handle your request, please:

• tell us which right(s) you want to exercise
• provide enough information to identify you and the data in question
• let us know which relationship you have with us (for example customer, supplier, staff member)

We may need to ask for proof of identity before we can share or change data, to prevent unauthorised access.

Response times

We aim to respond to rights requests within one month. For complex or numerous requests, this may be extended by up to two further months, in which case we will let you know and explain why.

We do not normally charge a fee, but we may do so (or refuse a request) where a request is clearly unfounded or excessive. Again, we will explain our reasoning if this applies.

If you have concerns

If you have any concerns about how we handle your personal data, we would encourage you to contact us first so we can try to resolve the issue. You also have the right to raise a concern with the UK Information Commissioner’s Office (ICO) if you are not satisfied with our response.

Contact details for the ICO are available on their website. Our own contact details are in the Privacy and cookies policy.