GDPR Compliance

Last updated: May 20, 2026

Our Commitment to Data Protection

cyber-flick is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we comply with these regulations and your rights as a data subject.

Data Controller

cyber-flick is the data controller responsible for your personal information. Our contact details are:

cyber-flick
17 Harbourside Walk
Bristol, BS1 6TL
United Kingdom
Email: [email protected]

Your Rights Under UK GDPR

You have the following data protection rights:

1. Right to be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided in our Privacy Policy and this GDPR page.

2. Right of Access

You can request access to your personal data and receive a copy of the information we hold about you. This is commonly known as a "subject access request." We will respond to your request within one month, free of charge.

How to make a request: Email [email protected] with "Subject Access Request" in the subject line. Please provide sufficient information to identify you and specify what information you're requesting.

3. Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it. We will respond within one month and notify any third parties with whom we've shared the data.

How to request rectification: Email us with details of the information you believe is inaccurate or incomplete.

4. Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose we collected it
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased for compliance with a legal obligation

Limitations: This right does not apply if we need to retain data for legal obligations, establishment of legal claims, or other legitimate purposes defined in law.

5. Right to Restrict Processing

You can request that we limit how we use your data in certain situations:

  • When you contest the accuracy of the data (restriction applies while we verify accuracy)
  • When processing is unlawful but you don't want the data erased
  • When we no longer need the data but you need it for legal claims
  • When you've objected to processing (restriction applies while we verify legitimate grounds)

6. Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format. You can also request that we transfer your data directly to another organization where technically feasible.

This right applies when:

  • Processing is based on your consent or contract performance
  • Processing is carried out by automated means

7. Right to Object

You can object to processing of your personal data in certain circumstances:

  • Direct Marketing: You have an absolute right to object to processing for direct marketing purposes at any time
  • Legitimate Interests: You can object to processing based on legitimate interests. We must stop processing unless we demonstrate compelling legitimate grounds that override your interests

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not currently employ automated decision-making processes.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: [email protected]
Subject line: Include the specific right you're exercising (e.g., "Subject Access Request" or "Right to Erasure")

Response Time: We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of the extension and reasons.

Verification: To protect your data, we may ask for additional information to verify your identity before fulfilling your request.

No Fee: We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under UK GDPR:

Consent

We may process your data based on consent you've given for specific purposes. You can withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

Contract Performance

We process data necessary to fulfill our contractual obligations when you enroll in our programmes, including delivering services and managing your enrollment.

Legal Obligation

We process data when required to comply with legal obligations, such as tax laws and safeguarding requirements for working with children.

Legitimate Interests

We may process data based on legitimate interests, provided these interests don't override your rights and freedoms. Our legitimate interests include:

  • Improving our services and educational programmes
  • Ensuring network and information security
  • Understanding how our website is used to enhance user experience
  • Communicating relevant programme information

Special Category Data

We generally do not process special category data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.). If programme delivery requires processing special category data (e.g., learning needs or health information affecting participation), we will:

  • Obtain your explicit consent
  • Process only data necessary for service delivery
  • Implement additional security measures
  • Limit access to authorized personnel only

Children's Data

We are particularly committed to protecting children's personal data. When processing data about children:

  • We obtain parental or guardian consent for children under 13
  • We collect only information necessary for programme delivery
  • We ensure age-appropriate privacy notices
  • We implement enhanced security measures
  • Parents can access, rectify, or erase their child's data at any time

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Access controls and authentication systems
  • Regular security assessments and penetration testing
  • Staff training on data protection and confidentiality
  • Secure disposal procedures for data no longer needed
  • Incident response procedures

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the breach and steps we're taking
  • Advise on measures you can take to protect yourself

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms, particularly when introducing new technologies or processing activities.

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place:

  • Adequacy decisions recognizing the recipient country's data protection standards
  • Standard contractual clauses approved by the UK authorities
  • Other lawful transfer mechanisms under UK GDPR

Third-Party Processors

When we engage third-party processors (e.g., payment processors, email service providers), we ensure they:

  • Provide sufficient guarantees of appropriate technical and organizational measures
  • Process data only on our documented instructions
  • Maintain confidentiality of personal data
  • Assist with data subject rights requests
  • Notify us of any data breaches

Data Retention

We retain personal data only as long as necessary for the purposes collected or as required by law:

  • Programme data: During enrollment and 3 years after completion
  • Financial records: 7 years (UK tax requirements)
  • Marketing data: Until you opt out or request deletion
  • Website analytics: 26 months

We regularly review data retention and securely delete or anonymize data no longer needed.

Complaints and Supervisory Authority

If you're not satisfied with how we've handled your personal data, you can complain to the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: cyber-flick.com

We encourage you to contact us first so we can address your concerns directly.

Updates to GDPR Compliance

We regularly review and update our data protection practices to ensure ongoing compliance. Significant changes will be communicated through our website and, where appropriate, by direct communication.

Contact Our Data Protection Officer

For questions about data protection or GDPR compliance, contact us at:

Email: [email protected]
Subject: Data Protection Enquiry