GDPR Compliance

Last Updated: 1 June 2026

sienna-marsh is committed to complying with the General Data Protection Regulation (GDPR) and protecting the personal data of our website visitors and clients. This page outlines our GDPR compliance measures and your rights as a data subject.

1. Data Controller

sienna-marsh acts as the data controller for personal information collected through our website and services. Our contact details are:

sienna-marsh
47 Wellington Square
Chelsea, London SW3 4NJ
United Kingdom

Email: [email protected]

2. Your Rights Under GDPR

The GDPR provides you with specific rights regarding your personal data:

Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you and to receive information about how it is processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

3. Lawful Bases for Processing

We process personal data under the following lawful bases as defined by GDPR Article 6:

• Consent (Article 6(1)(a)): Where you have provided explicit consent for specific processing activities
• Contract (Article 6(1)(b)): Where processing is necessary to perform a contract or take steps at your request before entering into a contract
• Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation
• Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights and freedoms

4. Data Protection Measures

We implement appropriate technical and organisational measures to ensure the security of personal data, including:

• Encryption of data in transit and at rest where appropriate
• Access controls limiting data access to authorised personnel
• Regular security assessments and updates
• Staff training on data protection responsibilities
• Secure data disposal procedures

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods vary depending on the type of data and purpose of processing. When data is no longer required, it is securely deleted or anonymised.

6. International Transfers

If we transfer personal data outside the United Kingdom or European Economic Area, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the relevant authorities
• Transfers to countries with adequate data protection recognised by the UK or EU
• Binding Corporate Rules where applicable

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly.

8. Exercising Your Rights

To exercise any of your GDPR rights, please contact us using the details provided above. We will respond to your request within one month. In complex cases, this period may be extended by two additional months, in which case we will inform you of the extension and the reasons for it.

We may request verification of your identity before processing your request to ensure we are responding to the correct individual.

9. Complaints

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Website: ico.org.uk

10. Updates to This Information

We may update this GDPR compliance information from time to time. Any changes will be posted on this page with an updated revision date.