GDPR & Privacy Policy 

Introduction 

At The Auction Rooms, we value and respect the privacy of our website visitors, clients, and members. This Privacy Policy outlines how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws. 

 

Accountability and Transparency 

We comply with GDPR’s accountability principle by: 

  • Maintaining detailed records of our data processing activities. 

  • Documenting the types of personal data we process, purposes of processing, third-party sharing, and implemented security measures. 

These records are available to the Information Commissioner’s Office (ICO) upon request and help ensure responsible handling of personal data. 

 

Information We Collect 

We may collect and process the following types of data: 

  1. Personal Data Provided by You

  1. Name, email address, phone number, and business details provided when contacting us, registering for updates, or booking services. 

  1. Website Usage Data

  1. Non-personal information such as IP addresses, browser type, and usage analytics, collected through cookies or similar technologies. 

  1. Visitor Data

  1. Details such as name and contact information collected for occasional visitors to our coworking spaces, ensuring health, safety, and evacuation compliance. 

 

How We Use Your Data 

We use your data to: 

  • Respond to enquiries and provide requested services. 

  • Process bookings and manage contracts. 

  • Communicate updates, promotions, or newsletters. 

  • Improve website functionality and user experience. 

  • Comply with legal obligations and protect our business interests. 

 

Automated Decision-Making (ADM)  

Under 2025 law, ADM is permitted without consent, provided that: 

  • It doesn’t involve special category data 

  • It doesn’t have legal or significant effects 

  • Individuals are informed and can request human review 

We may use automated systems for identity verification or credit checks (e.g. via Credas). These automated decisions are used solely to verify service eligibility and do not produce legal or significant effects. Where applicable, individuals have the right to request a human review of any decision made solely by automated means. 

 

Cookies and Tracking Technologies 

Our website may use cookies or similar tracking technologies to enhance your browsing experience. These technologies collect non-personal information such as: 

  • Usage patterns 

  • Preferences 

  • Interactions with our website 

Cookies are small text files stored on your device that help us improve website functionality and personalise your experience. 

  • As of 2025, certain low-risk cookies (such as those used for performance analytics) may be used without explicit consent, in line with changes to UK data protection law. Users can still manage cookie preferences through their browser or our website settings. 

Types of Cookies We Use: 

  1. Essential Cookies

  1. Necessary for the operation of our website (e.g., login functionality). 

  1. Performance Cookies

  1. Track website usage statistics to help us improve performance. 

  1. Functionality Cookies

  1. Remember your preferences for a more personalised experience. 

Managing Cookies: 

You can modify your browser settings to disable cookies or alert you when cookies are being used. However, disabling cookies may limit certain website features and functionality. 

For more information on how to manage cookies, visit your browser's support page. 

 

Third-Party Links 

Our website may include links to external websites or services. These third-party platforms operate independently and are governed by their own privacy policies. We are not responsible for their practices or content and encourage you to review their privacy policies before providing personal information. 

 

Lawful Bases for Processing 

We process personal data under the following bases: 

  • Contract: To provide services as agreed in our contracts. 

  • Consent: For newsletters and promotions where explicit consent is obtained. 

  • Legal Obligation: For regulatory compliance (e.g., health and safety). 

  • Legitimate Interests: To improve services, secure premises, and enhance user experience, ensuring individual rights are not overridden. 

For special category data (e.g., health data), we rely on GDPR Article 9 conditions, such as explicit consent or compliance with employment law. 

Under the Data Use and Access Act 2025, we may process personal data under recognised legitimate interests such as IT and network security, fraud prevention, and direct marketing, where applicable. In these cases, a Legitimate Interest Assessment is not required, although individual rights are respected. 

 

Sharing Data with Third Parties 

We collaborate with trusted third parties for service delivery: 

  • Squarespace: Website hosting and form submissions. 

  • OfficeRnD: Workspace management and memberships. 

  • Salto: Key card access. 

  • Mailchimp: Newsletter management. 

All processors comply with GDPR and maintain strong security measures. 

 

Threshold for international data transfers  

  Where data is transferred outside the UK, we ensure that the receiving country offers data protection standards that are not materially lower than those of the UK, in line with the 2025 Data Use and Access Act. 

Your Rights Under GDPR 

You have the following rights regarding your data: 

  1. Right to Be Informed: Transparent information provided at collection. 

  1. Right to Access: Request access to your data within one month. 

  1. Right to Rectification: Request corrections to inaccurate or incomplete data. 

  1. Right to Erasure: Request deletion of data under specified circumstances. 

  1. Right to Restrict Processing: Request limited use of your data in certain situations. 

  1. Right to Object: Object to direct marketing or other specific uses of your data. 

  1. Right to Withdraw Consent: Revoke consent for data processing at any time. 

 

Data Subject Access Requests (DSARs) 

Under the 2025 rules, if clarification is needed to process a DSAR, the 1-month response period pauses until clarification is received. If we require clarification from you in order to process your data access request, the one-month response period will be paused (‘stop the clock’) until the requested clarification is received.” 

 

Data Retention and Disposal 

We retain data only as long as necessary for its purpose. Outdated data is securely deleted or anonymised in compliance with GDPR. Retention policies are regularly reviewed to ensure alignment with business and statutory needs. 

 

Data Security 

We implement: 

  • Encryption for data in transit and storage. 

  • Role-based access controls. 

  • Regular audits and updates to IT systems. 

 

Data Breaches 

If a breach poses a risk to your rights, we will: 

  1. Notify the ICO within 72 hours

  1. Inform affected individuals without undue delay if risks are high. 

 

Privacy by Design 

We integrate data protection into all processes by: 

  • Limiting data collection to what is necessary. 

  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing. 

  • Training staff on GDPR principles. 

 

Management Responsibility 

Our leadership team supports GDPR compliance by: 

  • Promoting accountability and a positive data protection culture. 

  • Ensuring all staff are trained in GDPR principles. 

  • Leading privacy-by-design initiatives in business processes. 

 

The Auction Rooms operates as the Data Controller for all personal data collected in connection with its services. All employees and contractors are considered Data Processors and are trained to handle data in accordance with this policy. 

Changes to This Policy 

This policy may be updated periodically to reflect changes in services or legal requirements. Updates will be noted with the effective date. 

 

Contact Us 

If you have questions or concerns, contact us: 

  • Phone: +44 7710 021 840 

  • Address: 22 Queen Street, Edinburgh.