GDPR Compliance Policy

Northwest Consulting (a subsidiary of TWBI Limited, Company No. 15384568) is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy sets out our approach to data protection governance, lawful processing, and individual rights.

We adhere to the following principles when processing personal data:

• Lawfulness, fairness, and transparency: We process data lawfully and transparently.
• Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
• Data minimisation: We collect only the data that is necessary for the stated purpose.
• Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
• Storage limitation: Data is retained only for as long as necessary.
• Integrity and confidentiality: We implement appropriate technical and organisational measures to protect personal data.

We rely on the following lawful bases for processing personal data:

• Consent (Article 6(1)(a)): For marketing communications and non-essential cookies. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)): For responding to enquiries, providing requested content, and improving our services, where these interests are not overridden by your rights.
• Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation.

We use the following categories of cookies:

• Strictly necessary cookies: Required for the website to function. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our website. Only set with your consent.
• Preference cookies: Used to remember your choices (e.g. cookie consent). Only set with your consent.

You can manage your cookie preferences via the consent banner displayed on your first visit. Your preferences are stored in your browser's local storage.

Under UK GDPR, you have the following rights:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete data.
• Right to erasure: You may request deletion of your personal data in certain circumstances.
• Right to restrict processing: You may request that we restrict the processing of your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data transmission (HTTPS), access controls, and regular security reviews.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR requirements.

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

For any data protection queries, please contact us at [email protected].

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.