General Data Protection Regulations (GDPR) Policy

Quadzu Limited aims to ensure that all individuals are aware of their rights and obligations concerning personal data processed by the Company. The business also has a duty to ensure that staff are aware of what they must do in order to comply with the provisions of the General Data Protection Regulations 2018.

General Data Protection Regulations Policy
Quadzu Limited processes personal data about all individuals in the normal course of its business for the purposes of creating and maintaining records in relation to employment.

The Company expects all individuals to fully comply with the General Data Protection Regulations Policy and its principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures contained within this policy.

All individuals will be responsible for:

  • Ensuring that any information they provide to the Company in connection with their employment is accurate and up-to-date
  • Informing the Company of any errors or changes to information which they have provided (e.g. change of contact details)
  • Checking the information that the Company holds about them from time-to-time for accuracy

Depending on their job role, individuals may also come into contact with, and use, confidential personal information about people and they are expected to handle such information in line with the provisions of this policy. If an employee is ever in any doubt about disclosing confidential information, they should seek advice from Company Management.

The fines for breaches of the General Data Protection Regulations are much more severe than these that could be levied under the old Data Protection Act. Under the new Regulations there are 2 tiers of fines that can be levied: -
  • Up to €10 million, or 2% annual global turnover – whichever is higher
  • Up to €20 million, or 4% annual global turnover – whichever is higher

The fines are based on the specific articles of the General Data Protection Regulations that the organisation has breached. Infringements of the organisation's obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level. When deciding whether to impose a fine and the level, the ICO must consider:
  • The nature, gravity and duration of the infringement
  • The intentional or negligent character of the infringement
  • Any action taken by the organisation to mitigate the damage suffered by individuals
  • Technical and organisational measures that have been implemented by the organisation
  • Any previous infringements by the organisation or data processor
  • The degree of cooperation with the regulator to remedy the infringement
  • The type(s) of personal data involved
  • The way the regulator found out about the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement
  • Whether, and, if so, to what extent, the controller or processor notified them of the infringement
  • Adherence to approved codes of conduct or certification schemes

Policy Details
"Data" refers to any information relating to an individual where the structure of the data allows information about the individual to be readily accessed. Almost all information about individuals that is processed on computer or held in a highly structured manual filing system is covered by the General Data Protection Regulations.

All personal data must be processed (handled) in accordance with the six key Principles:
  • data must be processed lawfully, fairly and in a transparent manner in relation to individuals
  • data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  • data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  • data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay
  • data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
  • data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Data Security
Quadzu Limited has defined Confidential Information in the contract of employment. All such Confidential Information remains the property of the company at all times. In particular individuals must not use, copy or destroy any Confidential Information without the authorisation of Company's management, express or implied or in accordance with data retention schedules and confidential waste disposal processes identified in the respective policies.

Individuals must not disclose either directly or indirectly any Confidential Information to any other person or Company for any reason whatsoever without the express consent of the individual to whom the data relates.

Individuals are referred to the Information Security Policy - QUA-POL-0064 and guidelines relating to the use of computers, e-mail and the internet.

Individuals could be made criminally liable and fined if they knowingly or recklessly disclose personal information in breach of this policy. As a minimum, any breaches of this policy in relation to personal data security will result in disciplinary action and, in serious cases, may result in dismissal.

Conditions for Processing
Personal data must not be processed unless one of certain conditions is met. The individual must give their consent to the processing or alternatively the processing must be necessary for one of certain other reasons.

The Regulations also distinguishes between personal data and "sensitive personal data" which relates to racial or ethnic origin, political or religious beliefs, trade union membership, physical or mental health (medical) data or criminal records. In these cases, more stringent conditions must be met in the processing of sensitive personal data.

General Guidelines
Storing Personal Data

Personal data must always be held securely. In the case of hard copy data, this could be in filing cabinets, locked cupboards/drawers or rooms with restricted access. In the case of electronic information, access should be subject to reasonable controls such as passwords. Reasonable steps should be taken to detect and prevent unauthorised access. Particular care should be taken when laptops are used to process personal data due to the nature of how and where company employees work (see the Home and Mobile Working Policy for details).

Employees must ensure that Company Management holds copies of any personal data they hold on a permanent employee, whether in electronic or manual form. Company Management should be able to say to an employee without hesitation that the information they have provided from their files is the total of personal data held concerning that employee.

Individuals must notify changes of name, address, telephone number, bank and marital status to the relevant team as soon as possible. Quadzu Limited reserves the right to periodically ask individuals to confirm any such personal data held by them.

Disclosing Personal Data
In most cases, personal data must not be disclosed to third parties (including family members, friends, Government bodies etc.) without the permission of the individual concerned, unless disclosure is exempted from the General Data Protection Regulations, Data Protection Act or by other legislation. If in doubt, please seek advice from Company Management. The sender and recipient of the personal data must sign and date a copy of the Quadzu Limited Data Sharing Agreement - QUA-AGR-0001 in which the recipient undertakes to keep the personal data confidential and to ensure that it is protected whilst in the recipient's hands.

Strict care and attention must be taken when transmitting personal data by e-mail or fax. Data should not be transmitted outside of the EEA.

Disposal of Personal Data
All records are retained for periods in line with the recommendations of the Information Commissioner (see the Information Retention and Disposal Policy - QUA-POL-0009 for further details). Beyond this, personal data will be disposed of when no longer effectively required for its purpose. The method of disposal must be appropriate to the sensitivity of the data. Disposal may include transfer to an appropriate confidential archive system, shredding or confidential disposal.

Ideally, electronic data should be destroyed by reformatting or overwriting. Note that “deleting” a computer file does not equate to destroying the data - such data can often be recovered.

Individual's Rights
The General Data Protection Regulation enhances the rights of individuals in relation to the information held by organisations on them. The regulations provide the following rights for individuals:
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Procedure to Request Information
Individuals must put their request in writing using the form which can be obtained by contacting

All requests must be sent to Company Management to process and they will acknowledge receipt of all requests and arrange an appropriate date and time for dealing with the request with the individual within one calendar month from the date of receipt. This can be extended to 3 months if the information requested is too complex but the reason for the extension must be communicated to the subject.

Where the provision of information would reveal the identity of a third party, the information will not be provided unless the third party has given their consent or if it is deemed reasonable to proceed without their consent.


+44 (0) 333 210 0148

Contact Form




+44 (0) 333 210 0148
Contact Form