DATA PROTECTION POLICY
Last updated: July 2025
1. Scope
This Policy sets out how North Quay Holdings Limited ("North Quay") approaches compliance with UK data protection legislation — in particular the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this Policy, please contact us at dpo@northquayholdings.com. We may modify this Policy at any time.
2. Background: the UK GDPR
The UK GDPR strengthens the rights of individuals ('data subjects') in relation to their personal data and places compliance obligations on organisations that process personal data.
The UK GDPR is enforced by the Information Commissioner's Office (ICO), which has significant powers including the ability to issue fines of up to 4% of annual global turnover or £17.5 million (whichever is higher) for the most serious violations.
3. Key Terms
Data controller — An organisation that determines the purpose and means of processing personal data. North Quay is generally the data controller of client personal data.
Data processor — An organisation that processes personal data on behalf of a data controller. This may include, for example, cloud hosting providers. North Quay may also act as a data processor for certain client services. Data processors are directly regulated under UK GDPR.
Personal data breach — A breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data — Any information relating to a living individual, including name, identification number, location, or online identifier such as an email address. Personal data used in a business context remains regulated by UK GDPR.
Processing — Virtually anything done with personal data: obtaining, collecting, analysing, storing, sharing, altering, or deleting it.
Special categories of personal data — Data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning an individual's sex life or sexual orientation. Separate but similar rules apply to criminal conviction and offence data.
4. Data Processing Principles
The UK GDPR requires that personal data must be:
Processed lawfully, fairly and transparently
Collected for specific, explicit purposes and used only for those purposes
Relevant and limited to what is necessary
Accurate and kept up to date
Retained no longer than necessary
Processed with appropriate security
The UK GDPR's accountability principle also requires North Quay to be able to demonstrate that its processing is lawful. This includes keeping records of processing activities, documenting significant decisions about personal data use, and maintaining an audit trail of privacy notices and updates.
5. How and Why We Process Client Data
North Quay processes client personal data for the following purposes:
Providing our services in accordance with our standard client terms
Communicating with prospective clients about our services
Administrative and compliance purposes, including finance, IT systems, and client communications
We collect personal information about clients usually directly from those individuals. We also process data when individuals use the North Quay website.
UK GDPR requires us to identify a lawful basis for each processing activity — these are set out in our Client Privacy Notice.
It is a common misconception that UK GDPR always requires consent. While we may seek consent in certain specific circumstances (for example, where we are instructed to conduct searches producing reports on publicly available information about an individual), we generally rely on other lawful bases. Requirements around direct marketing communications derive from separate regulations, not the UK GDPR itself.
6. Your Rights
You have the following rights in relation to personal data we hold about you:
Right of access — You may request access to the personal data we hold about you (a 'Subject Access Request'). This right is free of charge and can be exercised without using formal language. We will respond within one month (extendable by two months for complex requests).
Right to rectification — You may require us to correct any inaccurate personal data we hold about you.
Right to erasure — You may request that we delete your personal data in certain circumstances.
Right to restriction — You may request that we restrict our processing of your data in certain circumstances.
Right to data portability — You may request that we provide your personal data in a portable, commonly used format for transmission to another data controller.
Right to object — You may object to our processing of your data where you feel it has a disproportionate impact on you.
Right to object to automated decision-making — You may object to automated decisions made about you without human intervention, including profiling.
None of these rights are absolute and exceptions may apply. To exercise any of these rights, please contact us at dpo@northquayholdings.com.
7. International Data Transfers
Personal data must not be transferred outside the UK unless:
It is transferred to a country declared to have adequate protection by the UK (including the EEA); or
It is transferred under the UK International Data Transfer Agreement (IDTA) or another approved mechanism providing appropriate safeguards; or
A specific 'derogation' applies — for example, your explicit consent to the transfer.
8. Data Retention
We retain personal data for no longer than is necessary for the purposes for which it is processed. Retention periods are determined on a purpose and risk basis in accordance with applicable law and ICO guidance.
9. Complaints
You have the right to complain about how your data is handled — whether to North Quay directly or to the ICO. We ask that you contact us in the first instance so that we can seek to resolve your concern. We aim to respond to all complaints within 30 days.
Contact us: dpo@northquayholdings.com
Information Commissioner's Office:ico.org.uk | 0303 123 1113
North Quay Holdings Limited | Company Number: 16438926 | 1 Curzon Street, London, W1J 5HA