Quadzu Limited aims to ensure that all individuals are aware of their rights and obligations concerning personal data processed by the Company.
The business also has a duty to ensure that staff are aware of what they must do in order to comply with the provisions of the General Data Protection Regulations 2018.
General Data Protection Regulations Policy
Quadzu Limited processes personal data about all individuals in the normal course of its business for the purposes of creating and maintaining records in relation to employment.
The Company expects all individuals to fully comply with the General Data Protection Regulations Policy and its principles. Disciplinary action may be taken against any employee
who breaches any of the instructions or procedures contained within this policy.
All individuals will be responsible for:
- Ensuring that any information they provide to the Company in connection with their employment is accurate and up-to-date
- Informing the Company of any errors or changes to information which they have provided (e.g. change of contact details)
- Checking the information that the Company holds about them from time-to-time for accuracy
Depending on their job role, individuals may also come into contact with, and use, confidential personal information about people and they are expected to handle such information
in line with the provisions of this policy. If an employee is ever in any doubt about disclosing confidential information, they should seek advice from Company Management.
The fines for breaches of the General Data Protection Regulations are much more severe than these that could be levied under the old Data Protection Act.
Under the new Regulations there are 2 tiers of fines that can be levied: -
- Up to €10 million, or 2% annual global turnover – whichever is higher
- Up to €20 million, or 4% annual global turnover – whichever is higher
The fines are based on the specific articles of the General Data Protection Regulations that the organisation has breached. Infringements of the organisation's obligations,
including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
When deciding whether to impose a fine and the level, the ICO must consider:
- The nature, gravity and duration of the infringement
- The intentional or negligent character of the infringement
- Any action taken by the organisation to mitigate the damage suffered by individuals
- Technical and organisational measures that have been implemented by the organisation
- Any previous infringements by the organisation or data processor
- The degree of cooperation with the regulator to remedy the infringement
- The type(s) of personal data involved
- The way the regulator found out about the infringement
- The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement
- Whether, and, if so, to what extent, the controller or processor notified them of the infringement
- Adherence to approved codes of conduct or certification schemes
"Data" refers to any information relating to an individual where the structure of the data allows information about the individual to be readily accessed.
Almost all information about individuals that is processed on computer or held in a highly structured manual filing system is covered by the General Data Protection Regulations.
All personal data must be processed (handled) in accordance with the six key Principles:
- data must be processed lawfully, fairly and in a transparent manner in relation to individuals
- data must be collected for specified, explicit and legitimate purposes and not further processed in
a manner that is incompatible with those purposes. Further processing for archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes shall not
be considered to be incompatible with the initial purposes
- data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal
data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay
- data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for
which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order
to safeguard the rights and freedoms of individuals
- data must be processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or
Quadzu Limited has defined Confidential Information in the contract of employment. All such Confidential Information remains the property of the company at all times.
In particular individuals must not use, copy or destroy any Confidential Information without the authorisation of Company's management, express or implied or in accordance
with data retention schedules and confidential waste disposal processes identified in the respective policies.
Individuals must not disclose either directly or indirectly any Confidential Information to any other person or Company for any reason whatsoever without the express consent of
the individual to whom the data relates.
Individuals are referred to the Information Security Policy - QUA-POL-0064 and guidelines relating to the use of computers, e-mail and the internet.
Individuals could be made criminally liable and fined if they knowingly or recklessly disclose personal information in breach of this policy. As a minimum, any breaches of this
policy in relation to personal data security will result in disciplinary action and, in serious cases, may result in dismissal.
Conditions for Processing
Personal data must not be processed unless one of certain conditions is met. The individual must give their consent to the processing or alternatively the processing must be
necessary for one of certain other reasons.
The Regulations also distinguishes between personal data and "sensitive personal data" which relates to racial or ethnic origin, political or religious beliefs, trade union
membership, physical or mental health (medical) data or criminal records. In these cases, more stringent conditions must be met in the processing of sensitive personal data.
Storing Personal Data
Personal data must always be held securely. In the case of hard copy data, this could be in filing cabinets, locked cupboards/drawers or rooms with restricted access.
In the case of electronic information, access should be subject to reasonable controls such as passwords. Reasonable steps should be taken to detect and prevent unauthorised access.
Particular care should be taken when laptops are used to process personal data due to the nature of how and where company employees work (see the Home and Mobile Working Policy for details).
Employees must ensure that Company Management holds copies of any personal data they hold on a permanent employee, whether in electronic or manual form.
Company Management should be able to say to an employee without hesitation that the information they have provided from their files is the total of personal data held concerning that employee.
Individuals must notify changes of name, address, telephone number, bank and marital status to the relevant team as soon as possible. Quadzu Limited reserves the right to periodically
ask individuals to confirm any such personal data held by them.
Disclosing Personal Data
In most cases, personal data must not be disclosed to third parties (including family members, friends, Government bodies etc.) without the permission of the individual concerned, unless
disclosure is exempted from the General Data Protection Regulations, Data Protection Act or by other legislation. If in doubt, please seek advice from Company Management. The sender and
recipient of the personal data must sign and date a copy of the Quadzu Limited Data Sharing Agreement - QUA-AGR-0001 in which the recipient undertakes to keep the personal data
confidential and to ensure that it is protected whilst in the recipient's hands.
Strict care and attention must be taken when transmitting personal data by e-mail or fax. Data should not be transmitted outside of the EEA.
Disposal of Personal Data
All records are retained for periods in line with the recommendations of the Information Commissioner (see the Information Retention and Disposal Policy - QUA-POL-0009 for further details).
Beyond this, personal data will be disposed of when no longer effectively required for its purpose. The method of disposal must be appropriate to the sensitivity of the data.
Disposal may include transfer to an appropriate confidential archive system, shredding or confidential disposal.
Ideally, electronic data should be destroyed by reformatting or overwriting. Note that “deleting” a computer file does not equate to destroying the data - such data can often be recovered.
The General Data Protection Regulation enhances the rights of individuals in relation to the information held by organisations on them. The regulations provide the following rights for individuals:
Procedure to Request Information
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Individuals must put their request in writing using the form which can be obtained by contacting email@example.com.
All requests must be sent to Company Management to process and they will acknowledge receipt of all requests and arrange an appropriate date and time for dealing with the request with the
individual within one calendar month from the date of receipt. This can be extended to 3 months if the information requested is too complex but the reason for the extension must be
communicated to the subject.
Where the provision of information would reveal the identity of a third party, the information will not be provided unless the third party has given their consent or if it is
deemed reasonable to proceed without their consent.