GDPR Compliance

Last updated: 17 April 2026

Our Commitment to Data Protection

Ancient Liability Limited is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and protect your rights under these regulations.

As a financial services firm authorised by the Financial Conduct Authority, we maintain particularly high standards for data security and privacy.

Data Controller Information

Data Controller: Ancient Liability Limited
Company Registration: 08734521
Registered Address: 142 Bishopsgate, London, EC2M 4AW
ICO Registration: ZA847392
Data Protection Officer: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to know how we collect and use your personal data. We provide this information through our Privacy Policy and this GDPR page, and we communicate transparently about our data processing activities.

Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide this information free of charge within one month of receiving your request.

To make a SAR, please email [email protected] with proof of identity.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you can request that we correct or complete it. We will respond to rectification requests within one month.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

This right is not absolute. We may need to retain information to comply with legal obligations, such as FCA record-keeping requirements for client files.

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to our processing.

Right to Data Portability

You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

Right to Object

You can object to processing of your personal data where we rely on legitimate interests as the legal basis. We must stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

You have an absolute right to object to processing for direct marketing purposes at any time.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not generally make automated decisions about clients, but where we do, we will inform you and provide a means to request human intervention.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact our Data Protection Officer:

Email: [email protected]
Post: Data Protection Officer, Ancient Liability Limited, 142 Bishopsgate, London, EC2M 4AW

We will respond to all requests within one month of receipt. In complex cases, we may extend this period by up to two months and will inform you of any such extension.

We may need to verify your identity before processing certain requests to protect your data from unauthorised access.

Lawful Basis for Processing

We only process personal data when we have a lawful basis to do so under UK GDPR:

Consent

Where you have given clear consent for us to process your personal data for a specific purpose, such as receiving marketing communications. You can withdraw consent at any time.

Contract

Processing is necessary to fulfil a contract with you or to take steps at your request before entering into a contract. This includes providing the pension advisory services you have engaged us for.

Legal Obligation

Processing is necessary to comply with legal obligations we are subject to, such as FCA regulations requiring us to maintain client records and conduct identity verification.

Legitimate Interests

Processing is necessary for our legitimate business interests or those of a third party, provided these interests are not overridden by your rights. For example, we may process data to prevent fraud or to improve our services.

Vital Interests

Processing is necessary to protect someone's life. This basis is rarely used in our business context.

Public Task

Processing is necessary to perform a task in the public interest or for official functions. This basis is not typically relevant to our business.

Data Minimisation and Storage Limitation

We adhere to the GDPR principles of data minimisation and storage limitation:

  • We only collect personal data that is necessary for the specific purposes we have identified
  • We do not retain data for longer than necessary to fulfil those purposes
  • We regularly review the data we hold and delete information that is no longer needed
  • Some data must be retained for specific periods to meet regulatory requirements

Security Measures

We implement appropriate technical and organisational measures to ensure data security:

  • Encryption of data both in transit and at rest
  • Multi-factor authentication for system access
  • Regular security audits and penetration testing
  • Staff training on data protection and security
  • Secure disposal of physical and electronic records
  • Business continuity and disaster recovery plans
  • Incident response procedures for data breaches

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk to them
  • Document all data breaches, including facts, effects, and remedial action taken
  • Take immediate steps to contain and mitigate the breach

Third-Party Data Processors

When we engage third parties to process personal data on our behalf, we ensure:

  • They are bound by written contracts requiring GDPR compliance
  • They implement appropriate security measures
  • They only process data according to our documented instructions
  • They notify us of any data breaches
  • They assist us in meeting our GDPR obligations
  • They delete or return data when processing services end

International Data Transfers

Personal data is primarily processed and stored within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions from the UK government
  • Use of Standard Contractual Clauses approved by the UK authorities
  • Binding Corporate Rules for transfers within corporate groups
  • Other approved transfer mechanisms under UK GDPR

Privacy by Design and by Default

We implement privacy by design and by default in our operations:

  • Data protection considerations are integrated into all new systems and processes
  • Default settings provide the highest level of privacy protection
  • We conduct Data Protection Impact Assessments for high-risk processing
  • Regular reviews ensure ongoing compliance with GDPR principles

Children's Data

Our services are not directed at children under 18. We do not knowingly process data of children. If we become aware that we have collected data from a child without appropriate parental consent, we will delete that information promptly.

Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact our Data Protection Officer in the first instance. We will investigate and respond to all complaints.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: www.ancient-liability.com

Updates to This Information

We review and update our GDPR compliance information regularly to ensure it remains accurate and current. Any significant changes will be communicated through our website and directly to clients where appropriate.