+44 20 7332 4133
EN
| ES
quabbala Hong Kong
quabbala Spain
quabbala UK

Privacy Notice

Privacy Notice

 

The additional following information is provided to comply with the requirements of the General Data Protection Regulation (GDPR). Quabbala Limited (“we”, “us” or “our”) is strongly committed to protecting personal data. This privacy notice describes why and how we obtain and use personal data and how it is processed.

 

 

Contact for data protection matters

 

Rubén García-Quismondo Pereda (contact details as above). If you have any questions about this privacy notice or how or why we process personal data, please contact us using one of the methods above.

 

 

Data protection

 

Processed data is stored in print and electronic format. We take the security of the data we hold very seriously and take measures to ensure the confidentiality and security of the data we use.

 

 

Electronic data

 

Electronic data is stored in emails, on local computers and mobile devices.

 

Our email provider and website hosting service (Website Palace) provides secure 256-bit encryption on secure servers. Our mobile devices use either Secure Sockets Layer (SSL) or Advanced Encryption Standard (AES) email standards.

 

Documents are stored on our computers and mobile devices using Dropbox (a secure file sharing service) which is compliant with ISO/IEC 27001/2 (Information Security Management), ISO/IEC 27017 (Cloud Security), ISO 27018 (Cloud Privacy and Data Protection) and SOC 2 (Security, Confidentiality, Integrity, Availability and Privacy) and is GDPR compliant. Our local computers and mobile devices are password protected for additional security.

 

Our blog is maintained using the WordPress application and is integrated within our website hosting service through an application programming interface (API) for extra security. The comments facility on the blog has been disabled to restrict the data collection activities by WordPress for our blog subscribers. Information about how WordPress and its owner Automattic handle data and use Cookies can be found on the Automatic website.

 

 

Paper data

 

Copies of data provided to us by our clients in paper format or printed electronic data will be destroyed using a cross cut shredder once the service period to the client (as declared in the relevant engagement letter) has been concluded. Original documents will be returned to the client. Hand-written notes containing personal data may be retained for longer periods as set out below.

 

 

Cookies and similar technologies

 

Our website does not use Cookies to record visitor data such as site usage, response rates or IP addresses. We do, however, reserve the right to introduce this at a later date (for example, if we wish to gather page visitation statistics using a third-party analytics service provider). Any changes to this will be reflected in this privacy policy. In the event that we introduce these technologies, there is a simple procedure in most browsers which allows you to decline these technologies, or to be given the choice of accepting or declining them.

 

 

Data processing

 

The information below relates to data we use for two main areas: data we use to send out our technical update and blog emails and data we use/store to provide our services and products.

 

 

 

1 – Technical update and blog update emails

 

 

Purposes of the processing

 

We send our technical updates via email. Blog update emails are generated from WordPress as part of the subscription setup.

 

 

Lawful basis for the processing

 

The GDPR requires active consent to be given for us to send email updates. The exception is where individuals have already been receiving emails from us and we believe the recipient has a legitimate interest in the material we are providing. We believe this exception applies to recipients of our technical updates. Blog email updates are only sent out to individuals who have subscribed to receive them; by providing your email address to subscribe to blog updates, you consent to the processing of data for this purpose.

 

 

Categories of personal data obtained

 

The data for our technical update emails consists of name, firm and email address. The firm is recorded to identify ambiguities and clarify potential duplications where an individual has changed firms. WordPress stores the email address of our blog subscribers.

 

 

Recipients

 

We do not send our technical update email data to any other parties. Data is stored within our email provider’s server and WordPress (blog subscribers only).

 

 

Retention periods for the personal data

 

The data for our technical update emails is retained on an ongoing basis on our email distribution lists. Recipients who wish to cease to receive our technical updates will have their data removed from our distribution lists. Blog subscribers’ data is retained for the duration of the subscription only.

 

 

The source of the personal data

 

The source of the personal data we have used for our technical update emails was provided in the 2013 R3 Directory and subsequent annual directories. We also access information from the Registrar of Companies and other similar public-access data providers. The source of the personal data for blog subscribers is from subscribers themselves.

 

 

 

2 – Data used/stored to provide our services and products

 

Data used to provide our services and products consists of data used/stored about our clients and data used/stored provided by our clients.

 

 

 

2a – Data used/stored about our clients

 

 

Purposes of the processing

 

We process your personal data because you use your email address and your password to sign in to our website. We also process your personal data for the purpose of sending you important information about updates to our products and services. Each product/service has a separate distribution list for our updates. We also process client data for administration purposes to provide engagement letters and invoices. It may also be necessary to process data in order to prevent or detect crime, fraud or corruption or to defend or take legal actions related to the provision of our services or products.

 

 

Lawful basis for the processing

 

The lawful basis for processing your personal data is our legitimate interest in protecting the security of your website login, the copyright of our products and services and the administration and maintenance of our contracts with our clients through our engagement letters and invoices. In addition, such processing is required in order to meet the terms of our engagements with our clients.

 

 

Categories of personal data obtained

 

Contact name, email address, firm and address, telephone number(s).

 

 

Recipients

 

This data is confidential to us and the client. However, in exceptional circumstances it may be necessary to share data with our professional advisers or with law enforcement or other government or regulatory agencies.

 

 

Retention periods for the personal data

 

Client information is retained for the length of the engagement plus up to a maximum of 7 years. Clients are removed from the relevant distribution list at the end of the contract if it is not renewed.

 

 

The source of the personal data

 

This data is usually obtained direct from the client on contract inception. Historically, we may have used the 2013 R3 Directory and subsequent annual directories, information from the Registrar of Companies and other similar public-access data providers.

 

 

 

2b – Data used/stored provided by our clients

 

Purposes of the processing

We process data and documents from our clients and potentially their clients as part of our compliance reviews, technical support and other services as described in our engagement letter to our clients. It may also be necessary to process data in order to prevent or detect crime, fraud or corruption or to defend or take legal actions related to the provision of our services or products.

 

 

Lawful basis for the processing

 

We have a legitimate interest in requesting and reviewing client files when making compliance reviews for a client. We need to process the data received from our clients in order to meet the terms of our engagements with them. We also have a legitimate interest in retaining the data for the periods described below in order to assist clients if they have reason to ask us about the service provided after completion and to defend or take legal actions should the need arise.

 

 

Categories of personal data obtained

 

This may include, but is not exclusive to, names, addresses and other contact information of clients and related third parties, books and records and financial information. This data may be in print or electronic format.

 

 

Recipients

 

This data is confidential to us and the client and is only used to provide the services set out in the engagement letter. However, in exceptional circumstances it may be necessary to share data with our professional advisers or with law enforcement or other government or regulatory agencies.

 

 

Retention periods for the personal data

 

Any original documents will be returned to the client. Apart from documents which may legally belong to the client, we intend to destroy correspondence and other papers (in print and electronic format) that we store which are more than seven years old, other than documents which we consider to be of continuing significance. It is a client’s responsibility to inform us if retention of a particular document is required.

 

 

The source of the personal data

 

This data is derived primarily from the client. To provide the services to our clients, we also access information from the Registrar of Companies and other similar public-access data providers, which is processed and stored alongside data received from clients.

 

 

Rights available to individuals (all services/products)

 

Access to your information – you have the right to request a copy of the personal information about you that we hold.

Correcting your information – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Deletion of your information – you have the right to ask us to delete personal information about you where:

– you consider that we no longer require the information for the purposes for which it was obtained;

– you have validly objected to our use of your personal information – see Objecting to how we may use your information below; or

– our use of your personal information is contrary to law or our other legal obligations.

If you have subscribed to our blog you can unsubscribe by selecting the ‘unsubscribe’ link in any of the WordPress blog update emails.

Objecting to how we may use your information – you have the right at any time to require us to stop using your personal information for email updates (although we strongly advise at least one individual per client to receive updates to maintain the currency of our products/services).

Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information but you do not want us to delete the data. Where this right to validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Please contact us in any of the ways set out in the Name and Contact Details section if you wish to exercise any of these rights.

 

 

Changes to our privacy statement

 

We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained by contacting us by any of the ways set out in the Name and Contact Details section.

CONTACT
Contact any of our offices in Spain or our offices in Spain Hong Kong & London.

You can also contact us through our email:
info@quabbala.com