Skip to content
Meridian Consulting Group

Legal

GDPR Policy

How we comply with UK GDPR and EU GDPR, and how you can exercise your rights.

Last updated: 16 April 2026Contact: legal@meridiangroup.it.com

1. Purpose and scope

This GDPR Policy explains how MERIDIAN CONSULTING GROUP LTD complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679). It sits alongside our Privacy Policy and Cookie Policy, and provides a single reference point for data protection matters.

2. Controller and contact

MERIDIAN CONSULTING GROUP LTD (registered in England and Wales, company number 17101771) is the data controller for personal data collected through this website, our client workspace and our consulting engagements.

  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
  • Company number: 17101771
  • Data protection contact: legal@meridiangroup.it.com

We are not required to appoint a statutory Data Protection Officer under UK GDPR Article 37, but data protection responsibilities are allocated to a named member of our leadership team who is contactable at the address above.

3. Principles we apply

All personal data we process is handled in line with UK GDPR Article 5:

  • Lawfulness, fairness and transparency.
  • Purpose limitation - collected for specified, explicit, legitimate purposes.
  • Data minimisation - only what is necessary.
  • Accuracy - kept up to date and corrected where wrong.
  • Storage limitation - kept for no longer than needed.
  • Integrity and confidentiality - appropriate security.
  • Accountability - we can demonstrate compliance.

4. Lawful bases

We process personal data only where we have one or more of the following lawful bases under UK GDPR Article 6:

  • Performance of a contract.
  • Consent (freely given, specific, informed and unambiguous).
  • Legal obligation.
  • Legitimate interests - balanced against your rights and freedoms through a Legitimate Interests Assessment.
  • Recognised legitimate interests under the Data (Use and Access) Act 2025, where applicable.
  • Vital interests or public interest - rarely used.

5. Your rights as a data subject

You have the following rights under UK GDPR:

5.1 Right to be informed

You have the right to clear, transparent information about how we use your data. Our Privacy Policy satisfies this requirement.

5.2 Right of access (Subject Access Request)

You may request confirmation of whether we process your personal data and, if so, a copy of that data together with supplementary information. We will respond within one month of receiving a valid request. Complex or numerous requests may take up to three months and we will explain any delay.

5.3 Right to rectification

You may ask us to correct inaccurate personal data or complete data that is incomplete. We will respond within one month.

5.4 Right to erasure (right to be forgotten)

You may ask us to delete your personal data where:

  • It is no longer necessary for the purpose we collected it.
  • You withdraw consent and there is no other lawful basis.
  • You object and there are no overriding legitimate grounds.
  • The data has been unlawfully processed.
  • Erasure is required to comply with a legal obligation.

This right is not absolute. We may refuse to erase data that we must retain to comply with legal obligations (for example, tax records), to establish, exercise or defend legal claims, or for archiving in the public interest.

5.5 Right to restriction of processing

You may ask us to restrict processing while we verify accuracy, consider your objection, or if processing is unlawful but you prefer restriction to deletion.

5.6 Right to data portability

Where processing is based on consent or contract and is carried out by automated means, you may ask for your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

5.7 Right to object

You may object at any time to processing based on legitimate interests or for direct marketing. We will stop unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

5.8 Rights related to automated decision-making and profiling

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you. We do not carry out such processing.

5.9 Right to withdraw consent

Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. How to exercise your rights

Send a request to legal@meridiangroup.it.com. Please include:

  • Your full name and contact details.
  • The right you wish to exercise.
  • Enough information for us to identify you and locate your data (for example, the email address you used to register, the approximate dates of any engagement, and the nature of the data).

We may ask for proof of identity before acting on a request. Requests are handled free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

7. International data transfers

Where we or our processors transfer personal data outside the United Kingdom or the European Economic Area, we use at least one of the following safeguards under UK GDPR Article 46:

  • UK adequacy regulations for the destination country.
  • The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
  • Binding Corporate Rules or other appropriate safeguards.

A list of transfers and copies of applicable safeguards are available on request to legal@meridiangroup.it.com.

8. Processors and sub-processors

We use a small set of carefully chosen processors. Each is bound by a written contract that meets UK GDPR Article 28 requirements, including obligations of confidentiality, security, breach notification and the return or deletion of data at the end of the relationship.

Our current processors are set out in Section 6 of our Privacy Policy. Before engaging a new sub-processor we carry out due diligence on their data protection posture.

9. Security measures

  • Encryption of data in transit (TLS 1.2+) and at rest for stored personal data.
  • Secure password hashing and two-factor authentication for internal accounts.
  • Role-based access control with the principle of least privilege.
  • Regular patching, dependency monitoring and vulnerability review.
  • Bot protection (Cloudflare Turnstile) on all public forms.
  • Audit logging for administrative and access events.
  • Staff data protection awareness and confidentiality obligations.

10. Personal data breaches

Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office within 72 hours of becoming aware of it, in line with UK GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay with clear information about the breach and steps they can take.

To report a suspected breach involving our systems or data, contact legal@meridiangroup.it.com without delay.

11. Accountability and record-keeping

  • We maintain a Record of Processing Activities (ROPA) covering all personal data we process as a controller.
  • We conduct Legitimate Interests Assessments and, where required, Data Protection Impact Assessments before high-risk processing.
  • We review this policy and our data protection practices at least annually and after any material change in our processing or the law.

12. Complaints

If you are not satisfied with how we have handled your personal data or your rights request, you can complain to the UK Information Commissioner’s Office:

  • ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

If you are based in the EEA, you can also lodge a complaint with your local supervisory authority.

13. Changes to this policy

We may update this GDPR Policy to reflect changes in law, our practices or our supplier chain. The “Last updated” date at the top indicates when it was last revised.

14. Contact

  • Email: legal@meridiangroup.it.com
  • Post: Data Protection, MERIDIAN CONSULTING GROUP LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

MERIDIAN CONSULTING GROUP LTD

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Company number: 17101771 · Registered in England and Wales

SIC 70210 · 70229

For legal enquiries: legal@meridiangroup.it.com

← Back to home