GDPR Compliance

Your data protection rights under UK GDPR

Last updated: 15 April 2026

Our Commitment to Data Protection

Cannafadge Ltd takes data protection seriously. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we uphold your rights and what steps we take to protect your personal data.

Who We Are

Cannafadge Ltd acts as the data controller for personal information we collect and process. This means we determine how and why your data is used. Our contact details:

Cannafadge Ltd
Unit 14, Riverside Business Centre
Pomona Strand
Manchester, M15 4QY
Email: [email protected]

Your Rights Under GDPR

The UK GDPR provides you with specific rights regarding your personal data. We are committed to facilitating these rights promptly and transparently.

Right to Be Informed

You have the right to know how we collect and use your personal data. Our Privacy Policy provides detailed information about our data processing activities, including what data we collect, why we collect it, and how long we keep it.

Right of Access

You can request a copy of the personal data we hold about you. This is commonly known as a "subject access request." We will provide:

  • Confirmation that we are processing your data
  • A copy of your personal data
  • Information about how we use your data
  • Details of any third parties we share your data with

We respond to access requests within 30 days. There is no fee for reasonable requests.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you have the right to have it corrected. Contact us with the specific data you believe is incorrect, and we will investigate and update our records where necessary.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • Erasure is required for legal compliance

Some data may be exempt from erasure if we need to retain it for legal, accounting, or legitimate business purposes.

Right to Restrict Processing

You can request that we limit how we use your data while we address a concern you have raised. This applies when:

  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

Right to Data Portability

Where we process your data based on consent or contract, and processing is automated, you can request your data in a structured, commonly used, machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

Right to Object

You can object to processing of your personal data in specific situations:

  • Processing based on legitimate interests (we must demonstrate compelling grounds to continue)
  • Processing for direct marketing (we must stop immediately)
  • Processing for research or statistics (unless necessary for public interest)

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making systems that affect your rights in this way.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. Please include:

  • Your full name and contact details
  • The specific right you wish to exercise
  • Any relevant details to help us identify your data

We may need to verify your identity before processing your request. This protects your data from unauthorised access.

Response Times

We respond to all data protection requests within 30 calendar days. If a request is complex or we receive many requests, we may extend this by up to two additional months. We will inform you if an extension is necessary and explain the reason.

Legal Bases for Processing

Under GDPR, we must have a valid legal basis for processing personal data. We rely on the following bases:

Contractual Necessity

We process data necessary to fulfil rental agreements, sales contracts, and service bookings. Without this data, we cannot provide our services.

Legitimate Interests

We process data for our legitimate business interests, provided these do not override your rights. This includes:

  • Improving our services and customer experience
  • Protecting our equipment from loss or damage
  • Administrative and operational purposes
  • Preventing fraud and security threats

Legal Obligation

We process data as required by law, including tax regulations, health and safety requirements, and regulatory compliance.

Consent

Where we rely on consent, you can withdraw it at any time. This applies primarily to marketing communications and certain cookies. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Data Protection Measures

We implement technical and organisational measures to protect personal data:

  • Access controls limiting data access to authorised personnel
  • Encryption of data in transit and at rest where appropriate
  • Regular security assessments and updates
  • Staff training on data protection obligations
  • Data processing agreements with third-party providers
  • Incident response procedures for potential breaches

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours
  • Inform affected individuals without undue delay where there is high risk
  • Document the breach and our response

International Data Transfers

When we transfer personal data outside the UK, we ensure adequate protection through:

  • Adequacy decisions by the UK government
  • Standard Contractual Clauses approved by the ICO
  • Binding Corporate Rules where applicable

Data Protection Impact Assessments

For processing activities likely to result in high risk to individuals, we conduct Data Protection Impact Assessments (DPIAs). This helps us identify and minimise data protection risks before implementing new processes or technologies.

Records of Processing Activities

We maintain records of our processing activities as required by Article 30 of the UK GDPR. These records document what personal data we process, why, with whom it is shared, and retention periods.

Supervisory Authority

The Information Commissioner's Office (ICO) is the UK's supervisory authority for data protection. If you believe we have not handled your data appropriately, you have the right to lodge a complaint:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

Updates to This Information

We review our GDPR compliance regularly and update this page as necessary. Significant changes will be communicated through our website.

Contact

For any questions about GDPR or data protection, contact us at [email protected] or write to us at our registered address.