GDPR Compliance Statement

Last Updated: May 22, 2026

Our Commitment to Data Protection

Calm Morn Environmental Consulting is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and UK data protection laws.

This page outlines how we comply with GDPR principles and what this means for you.

Data Controller Information

For the purposes of data protection legislation, Calm Morn Environmental Consulting is the data controller responsible for your personal data.

Data Controller: Calm Morn Environmental Consulting
Address: 14 Woodland Court, Bristol BS8 4PL, United Kingdom
Email: [email protected]

GDPR Principles We Follow

We process all personal data in accordance with the following GDPR principles:

1. Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate how and why we collect and use your data through our Privacy Policy and at the point of collection.

2. Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes only. We do not process data in ways incompatible with those purposes without informing you.

3. Data Minimization

We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed. We don't collect excessive information.

4. Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. You can request corrections to inaccurate data at any time.

5. Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. See our data retention schedules in the Privacy Policy.

6. Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure data security, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Your Rights Under GDPR

Under GDPR, you have comprehensive rights regarding your personal data:

Right of Access

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data and receive information about how it's being processed.

Right to Rectification

You can request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

  • It's no longer necessary for the purposes it was collected
  • You withdraw consent and there's no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • It must be erased to comply with a legal obligation

Note: This right is not absolute. We may need to retain certain information for legal or regulatory compliance (e.g., project records required under professional standards).

Right to Restriction of Processing

You can request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making of this nature.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

  • Email: [email protected]
  • Post: Calm Morn Environmental Consulting, 14 Woodland Court, Bristol BS8 4PL, United Kingdom

We will respond to your request within one month of receipt. In complex cases, we may extend this by up to two months and will inform you of any such extension.

Data Processing Activities

We process personal data for the following purposes:

Service Delivery

  • Legal basis: Contract performance and legitimate interests
  • Data types: Contact details, organization information, project specifications
  • Retention: 7 years after project completion (regulatory requirement)

Inquiry Management

  • Legal basis: Consent and legitimate interests
  • Data types: Name, email, inquiry details
  • Retention: 2 years after last contact

Marketing Communications

  • Legal basis: Consent
  • Data types: Email address, name, preferences
  • Retention: Until consent is withdrawn

Website Analytics

  • Legal basis: Legitimate interests (improving our website)
  • Data types: IP address, browsing behavior, device information
  • Retention: Anonymized after 26 months

Data Security Measures

We implement the following security measures to protect your personal data:

  • SSL/TLS encryption for all data transmission
  • Access controls limiting data access to authorized personnel only
  • Regular security assessments and updates
  • Secure data storage with encryption at rest
  • Staff training on data protection and security
  • Incident response procedures for potential data breaches

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (ICO) within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and remedial actions

Third-Party Data Processors

We engage certain third-party service providers who process personal data on our behalf. All processors are carefully selected and bound by data processing agreements that ensure GDPR compliance.

Current categories of processors include:

  • Website hosting and infrastructure providers
  • Email service providers
  • Analytics services

We ensure all processors provide sufficient guarantees regarding data security and processing standards.

International Data Transfers

We primarily process data within the United Kingdom. When data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection standards
  • Other approved transfer mechanisms under GDPR

Children's Data

Our services are not directed at children under 18. We do not knowingly process personal data of children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

Data Protection Officer

While we are not legally required to appoint a Data Protection Officer, data protection matters are overseen by our management team. For data protection inquiries, contact [email protected].

Complaints and Supervisory Authority

If you believe we have not handled your personal data in compliance with GDPR, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our practices, legal requirements, or regulatory guidance. Significant changes will be communicated through our website.

Contact Us

For questions about GDPR compliance or to exercise your rights, contact us:

Email: [email protected]
Post: Calm Morn Environmental Consulting, 14 Woodland Court, Bristol BS8 4PL, United Kingdom