GDPR - What Rights Data Protection Policy and Privacy Policy

This page details how we process the personal data we hold on you, and how you can control the retention and use of that data. When you begin a business relationship with us, the data you provide may be used for different purposes and be treated in different ways. In light of this, we highlight the ‘journey’ that a customer engages in, from initial order through to the end of the subscription, in order that you can understand how your data is used and why. Essentially, we seek only to use and retain such data that is necessary either for the performance of our contract with you (i.e. supplying the product or service that you have purchased), or where some other lawful purpose is engaged (e.g. holding data for accounting record purposes).


‘What Rights’ is Marc Walker and What Rights Limited, a company registered in England and Wales.

In order to purchase products and/or services from What Rights, we ask that you review, and accept (consent to) this data protection policy, note however that What Rights relies upon Article 6(1)(b) of GDPR (necessary for the performance of a contract).


All data that is held by ourselves or those on our behalf is encrypted, backed up on at least a daily basis, and stored on servers or computers based in the EU (case reports, but not other data may be held outside of the EU). Where data is held on, or capable of being accessed by desktop, laptop or tablet computers, that equipment is (a) password protected, (b) encrypted and (c) secured by two-factor authentication. What Rights is registered as Marc Walker with the Information Commissioner’s Office. We have satisfied ourselves that all third-parties who hold your data on our behalf will comply with GDPR from the date of commencement, at the latest.


Our core position in relation to the processing of data is this: What Rights wishes at all times to comply with both the letter and spirit of data protection legislation. We will work openly with you to resolve any concerns that you have.’


The new regulations are complex and we like other businesses are still carefully working through the implications in order to implement compliant solutions, therefore the contents of this page will inevitably evolve over time.


If you wish to see the data that we hold or request its deletion, please send an email via the website contact page and we will contact you to facilitate this. We aim to comply with all requests within 20 working days.


Processes and Your data


Payments - Where an account is ordered via the website, or an invoice is paid via debit/credit card or direct debit.

These transactions are handled by third-parties, either Square (in the case of card payment) or GoCardless for direct debit transactions. We have temporary access to your financial data in order to present it to those institutions for the purposes of carrying out such transactions only.  Both Square and GoCardless are approved financial institutions and you should contact them directly if you have questions in relation to your data use.  Where a payment is made, the transaction is recorded by our bank/payment processor, we have access to your identity and payment confirmation in order to reconcile your account, these details are retained for a period of 7 years from date of payment.


Your order - We ask for: name, address, business address, email address and telephone contact number. We use these details to generate invoices and create accounting records for HMRC and other accounting purposes (i.e. 'legal obligations' under GDPR). These details are retained for a period of 7 years from the date of transaction.


What Rights Website - Our website stores your name, address, telephone number and email contacts. We do not accept paid advertisements for products/services and do not sell/rent or otherwise share use of our customer databases. We do not sell or use your details for any other purpose. Tracking data: We are aware that our website is capable of logging some usage via link click tracking and IP addresses. This is not information that we monitor. We use Google Analytics to monitor website usage, data is deleted after 14 months from a user’s last activity, on a rolling 1 month basis. We will amend this section once this is finalised.


Case details – We store your name, address, telephone number, email and personal identification details, such as passport number, in connection with the contracted services we provide for you.  When those services end, we retain your details for 7 years from the date of conclusion of the case.


I want to see my data, or request deletion - Of course, please send us an email.


Social Media - We maintain a number of social media accounts. All data is maintained by the relevant controller. You are free to follow/unfollow/block in accordance with the terms of those services.


Unsolicited contact - You may contact us via email, webchat, social media etc. We may maintain a record of that exchange. In particular please note that our email systems are hosted on a platform that allows for permanent and unlimited storage of emails. You do of course have the right to have such data deleted.