GDPR Compliance Statement

Last Updated: May 25, 2026

Our Commitment to GDPR

pearly-journey is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations under these laws.

Data Controller Information

pearly-journey is the data controller for personal information processed through our services and website.

Legal Entity: pearly-journey Ltd
Registration Number: 12345678
Registered Address: 32 Wellington Street, Leeds, LS1 4DL, United Kingdom
Data Protection Contact: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under Article 6 of UK GDPR:

1. Contractual Necessity (Article 6(1)(b))

We process data necessary to perform our contract with you when you enrol in our programmes, including:

  • Managing programme participation
  • Scheduling sessions
  • Providing educational materials
  • Processing payments

2. Legitimate Interests (Article 6(1)(f))

We process data for legitimate business interests, including:

  • Improving our services and programmes
  • Website analytics and performance optimization
  • Fraud prevention and security
  • Internal business operations

We always balance our interests against your rights and freedoms.

3. Consent (Article 6(1)(a))

Where we rely on consent, such as for marketing communications, we:

  • Obtain clear, affirmative consent
  • Provide easy opt-out mechanisms
  • Allow you to withdraw consent at any time
  • Keep records of consent

4. Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements, including:

  • Financial record-keeping
  • Tax obligations
  • Safeguarding requirements (where applicable)

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You can request confirmation of whether we process your data and obtain a copy of that data. We will respond within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will rectify data without undue delay.

Right to Erasure (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purpose collected
  • You withdraw consent (where consent is the lawful basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may retain certain data where required by law (e.g., financial records).

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data when:

  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects.

How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email us at [email protected]
  2. Clearly state which right you wish to exercise
  3. Provide sufficient information for us to verify your identity
  4. Specify the data or processing activity in question

We will respond to requests within one month. In complex cases, we may extend this by two months and will inform you of any extension.

Special Category Data

We do not routinely process special category data (sensitive personal data as defined in Article 9). If we need to process such data for safeguarding or other purposes, we will:

  • Obtain explicit consent where required
  • Ensure appropriate safeguards are in place
  • Process only the minimum data necessary
  • Document our legal basis clearly

Children's Data

We process data about children as part of our educational services. Under UK GDPR:

  • We collect information from parents/guardians, not directly from children
  • Parents have full control over their child's data
  • We implement age-appropriate privacy measures
  • We provide clear information about data use
  • Parents can exercise all GDPR rights on behalf of their children

Data Security Measures

We implement appropriate technical and organizational measures as required by Article 32:

Technical Measures

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Secure authentication and access controls
  • Regular security updates and patches
  • Firewall protection
  • Secure backup systems

Organizational Measures

  • Staff training on data protection
  • Data protection policies and procedures
  • Access restricted on need-to-know basis
  • Confidentiality agreements with staff and processors
  • Regular review of security measures
  • Incident response procedures

Data Breach Procedures

In the event of a data breach, we will:

  • Assess the risk to individuals' rights and freedoms
  • Notify the ICO within 72 hours if required
  • Notify affected individuals without undue delay if high risk exists
  • Document the breach and our response
  • Take steps to mitigate the breach

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when implementing new systems or processes that may pose high risks to individuals' rights and freedoms.

Third-Party Processors

We ensure all third-party processors comply with GDPR by:

  • Conducting due diligence before engagement
  • Establishing written contracts with data processing clauses
  • Ensuring processors provide sufficient guarantees
  • Monitoring compliance on an ongoing basis
  • Ensuring processors only process data on our instructions

International Transfers

If we transfer data outside the UK, we ensure appropriate safeguards under Chapter V of UK GDPR:

  • Standard Contractual Clauses approved by the UK government
  • Adequacy decisions where applicable
  • Additional security measures where necessary

Record Keeping

As required by Article 30, we maintain records of processing activities including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers
  • Retention periods
  • Security measures

Privacy by Design and Default

We implement data protection principles from the design stage of all systems and processes (Article 25):

  • Data minimization: collecting only necessary data
  • Purpose limitation: using data only for specified purposes
  • Storage limitation: retaining data only as long as necessary
  • Pseudonymization where appropriate
  • Privacy-friendly default settings

Accountability

We demonstrate compliance with GDPR principles through:

  • Documentation of processing activities
  • Implementation of appropriate policies
  • Regular staff training
  • Data protection impact assessments
  • Appointment of a data protection lead
  • Regular compliance audits

Contact the Data Protection Authority

You have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: pearly-journey.com
Helpline: 0303 123 1113

Updates to This Statement

We review this GDPR compliance statement regularly and update it as necessary to reflect changes in our practices or legal requirements.

Questions or Concerns

If you have any questions about our GDPR compliance or wish to exercise your rights, please contact:

Email: [email protected]
Address: 32 Wellington Street, Leeds, LS1 4DL, United Kingdom