1. Our Commitment to Data Protection
GetMy Ltd is committed to protecting your personal data and
respecting your privacy. We comply with the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page explains your rights under UK GDPR and how we help you
exercise those rights.
Key Principles
We process your data according to six fundamental principles:
-
Lawfulness, fairness and transparency - We
process data legally, fairly, and transparently
-
Purpose limitation - We collect data for
specified, legitimate purposes only
-
Data minimization - We collect only what we
need
-
Accuracy - We keep data accurate and up to
date
-
Storage limitation - We keep data no longer
than necessary
-
Integrity and confidentiality - We protect
data with appropriate security
2. Your Data Protection Rights
Under UK GDPR, you have the following rights regarding your
personal data:
2.1 Right of Access (Article 15)
What it means: You have the right to request a
copy of your personal data.
How to exercise: Submit a Subject Access Request
(SAR) to
enquiries@getmy.group
Response time: Within 30 days (free of charge)
What you'll receive:
- Confirmation that we process your data
- Copy of your personal data in machine-readable format
-
Information about purposes, categories, recipients, and
retention periods
2.2 Right to Rectification (Article 16)
What it means: You can correct inaccurate or
incomplete personal data.
How to exercise: Update your information through
account settings or email
enquiries@getmy.group
Response time: Within 30 days
2.3 Right to Erasure / "Right to be Forgotten" (Article 17)
What it means: You can request deletion of your
personal data in certain circumstances.
When it applies:
-
Data is no longer necessary for the purpose it was collected
- You withdraw consent and there's no other legal basis
-
You object to processing and there are no overriding legitimate
grounds
- Data was unlawfully processed
- Data must be erased for legal compliance
Exceptions: We may refuse erasure if data is
needed for:
-
Legal compliance (e.g., 7-year UK tax retention requirement)
- Establishment, exercise, or defense of legal claims
-
Archiving, research, or statistical purposes in the public
interest
2.4 Right to Restriction of Processing (Article 18)
What it means: You can request that we limit how
we use your data.
When it applies:
-
You contest the accuracy of data (restriction while we verify)
- Processing is unlawful but you don't want data erased
-
We no longer need the data but you need it for legal claims
-
You've objected to processing (restriction pending verification)
2.5 Right to Data Portability (Article 20)
What it means: You can receive your data in a
structured, commonly used format and transfer it to another
controller.
When it applies:
- Processing is based on consent or contract
- Processing is carried out by automated means
Export formats we provide:
- JSON (machine-readable)
- CSV (spreadsheet-compatible)
- PDF (human-readable)
2.6 Right to Object (Article 21)
What it means: You can object to processing based
on legitimate interests or for direct marketing.
Grounds for objection:
- Processing for legitimate interests or public task
- Direct marketing (we must stop immediately)
-
Processing for research or statistical purposes (unless public
interest grounds)
How to exercise: Email
enquiries@getmy.group
or use opt-out link in marketing emails
2.7 Rights Related to Automated Decision-Making (Article 22)
What it means: You have the right not to be
subject to solely automated decisions with legal or significant
effects.
Our practice: We do not currently use fully
automated decision-making. Any AI-assisted features require human
review.
3. How to Exercise Your Rights
3.1 Online Portal
Once logged in to your GetMy account:
- Go to Settings → Privacy & Data
- Click "My Data Rights"
- Select the right you wish to exercise
- Follow the prompts to submit your request
3.2 Email Request
Send an email to
enquiries@getmy.group
with:
- Subject line: "GDPR Request - [Type of Request]"
-
Your full name and email address associated with your account
-
Description of your request and the right you wish to exercise
- Proof of identity (if required for verification)
3.3 Verification Process
To protect your privacy, we may ask you to verify your identity
before processing requests. This may involve:
- Confirming account details
- Two-factor authentication
- Government-issued ID (for high-risk requests)
3.4 Response Timeframes
- Standard requests: Within 30 days
-
Complex requests: Up to 60 days (with
notification of extension)
- Marketing opt-out: Immediate (no delay)
4. Legal Basis for Processing
We process your personal data under the following legal bases:
| Purpose |
Legal Basis |
GDPR Article |
| Provide Services |
Contract Performance |
Article 6(1)(b) |
| Payment Processing |
Contract Performance |
Article 6(1)(b) |
| Security & Fraud Prevention |
Legitimate Interests |
Article 6(1)(f) |
| Service Improvement |
Legitimate Interests |
Article 6(1)(f) |
| Tax & Legal Compliance |
Legal Obligation |
Article 6(1)(c) |
| Marketing Communications |
Consent |
Article 6(1)(a) |
5. Data Protection Impact Assessments (DPIA)
We conduct Data Protection Impact Assessments for:
- New technologies or processing operations
- Large-scale processing of special category data
- Systematic monitoring of public areas
- Automated decision-making with legal effects
Our DPIAs identify and mitigate data protection risks before
processing begins.
6. Data Breach Notification
6.1 Our Obligations
In the event of a personal data breach, we will:
-
Notify the Information Commissioner's Office (ICO) within 72
hours (if risk to rights and freedoms)
-
Notify affected individuals without undue delay (if high risk to
rights and freedoms)
- Document all breaches and our response
6.2 What We'll Tell You
If we notify you of a breach, we'll provide:
- Nature of the breach
-
Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for further information
- Steps you should take to protect yourself
7. International Data Transfers
7.1 Data Location
Your data is primarily stored and processed in the United Kingdom
(Azure UK South region).
7.2 Transfers Outside the UK
If we transfer data outside the UK, we ensure adequate protection
through:
-
Adequacy Decisions: Countries recognized by the
UK as providing adequate protection
-
Standard Contractual Clauses (SCCs):
ICO-approved contract terms
-
Binding Corporate Rules: For intra-group
transfers
-
Derogations: Explicit consent or necessity for
contract performance
7.3 Onward Transfer Restrictions
Our data processing agreements prohibit onward transfers without
equivalent safeguards.
8. Data Processing Agreements
8.1 You as Data Controller
When you use GetMy services to process your clients' data:
-
You are the Data Controller - You determine
purposes and means of processing
-
We are the Data Processor - We process data on
your behalf according to your instructions
8.2 Data Processing Agreement (DPA)
Our DPA (incorporated into our Terms of Service) includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Your rights and obligations as controller
- Our obligations as processor (Article 28 compliance)
- Security measures (technical and organizational)
- Sub-processor requirements and controls
- Data subject rights assistance
- Data breach notification procedures
- Return or deletion of data upon termination
- Audit rights and cooperation obligations
9. Records of Processing Activities
As required by Article 30, we maintain comprehensive records of:
- Processing activities we conduct as a data controller
-
Processing activities we conduct on behalf of controllers (as
processor)
- Categories of data processed
- Legal basis for processing
- Data recipients and transfers
- Retention periods
- Security measures
These records are available to the ICO upon request.
10. Data Protection Officer (DPO)
Our Data Protection Officer oversees GDPR compliance and serves as
point of contact for:
- Data protection queries
- Data subject requests
- Supervisory authority (ICO) inquiries
- Breach notifications
Contact our DPO:
Email: dpo@getmy.group
Email:
enquiries@getmy.group
11. Complaints and Supervisory Authority
11.1 Right to Lodge a Complaint
You have the right to lodge a complaint with the Information
Commissioner's Office (ICO) if you believe we have not complied
with UK GDPR.
11.2 Information Commissioner's Office (ICO)
Address: Information Commissioner's Office,
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website:
https://ico.org.uk
Helpline: 0303 123 1113
Live Chat: Available on ICO website
Report a Concern:
https://ico.org.uk/make-a-complaint/
11.3 We Encourage Contact First
While you have the right to complain directly to the ICO, we
encourage you to contact us first so we can try to resolve your
concerns quickly.
12. Accountability and Compliance
12.1 Accountability Principle
We demonstrate compliance through:
- Written policies and procedures
- Data protection by design and by default
- Staff training and awareness programs
- Regular privacy audits and reviews
- Data Protection Impact Assessments
- Vendor due diligence and contracts
- Incident response and breach procedures
12.2 Certifications and Standards
We maintain:
- ISO 27001 (Information Security Management)
- SOC 2 Type II (Security, Availability, Confidentiality)
- Cyber Essentials Plus
13. Privacy by Design and Default
13.1 Privacy by Design
We embed data protection into our systems and processes from the
outset:
- Minimal data collection (only what's necessary)
- Encryption by default (in transit and at rest)
- Pseudonymization where possible
- Access controls and least privilege principle
- Secure development lifecycle
13.2 Privacy by Default
Our default settings prioritize privacy:
- Marketing opt-in (not opt-out)
- Minimal data sharing with third parties
- Privacy-preserving analytics
- Automatic data retention limits