Privacy Centre

Why we are doing this

The General Data Protection Regulation, or GDPR, will become EU Law as of the 25th May 2018. This legislation is intended to bring data protection and privacy measures up to date with latest developments in technologies, data uses and standards. It supersedes the existing Data Protection Act 1998.

A cornerstone of GDPR differentiating it from existing legislation is the concept of privacy as a fundamental right. It is our responsibility to look after people’s data. This includes being clear about our purpose for processing personal data, recording our lawful basis for this, and enhancing our technological and operational measures to ensure data remains private and protected.

We at Quarto Consulting Ltd are implementing measures to ensure that as Data Controllers we factor data privacy by design in our decision making and undertake due diligence with our suppliers and associates who act as Data Processors on our behalf.

Privacy Notice

General Information

Data Controller

Quarto Consulting Ltd is a Data Controller of personal data associated with professional services for organisational development and delivery of associated learning and development programmes.

We have taken steps to ensure that we adopt best practice under General Data Protection Regulation (GDPR) to protect the privacy of individuals. We aim to maintain and whenever possible improve on the minimum standards for the assurance of individuals’ rights to data privacy and protection.

Quarto Consulting Ltd is registered with the Information Commissioner’s Office (ICO) as a Data Controller for the processing of Personal Data (ICO registration ZA342317).

Data Protection Office

As a Data Controller we recognise our responsibility in responding to individuals’ rights. We manage this process by executing procedures in line with GDPR requirements.

We coordinate Data Subject Access Requests through our Data Protection Office who is contacted by:

  • Post: Data Protection, Quarto Consulting Ltd, 9 High Street, Woburn Sands, Milton Keynes, MK17 8RF
  • Email:

How We Protect Your Personal Data

In order to protect your privacy, we train our employees and associates to understand their responsibilities in helping Quarto Consulting Ltd maintain GDPR compliance. We specifically focus on the following areas:

  • Notifying end users of their rights through Privacy Statements
  • Handling end users’ Data Subject Access Requests
  • Gaining agreements with third parties whether we are a Controller or Processor
  • And, what to do in the event of a personal data breach.

We review annually our staff awareness of data privacy and protection.

We also apply appropriate technical measures in order to protect personal data.

If you would like to know more about our approaches to GDPR, please contact our Data Protection Office.

Your Rights

As a Data Controller and a Data Processor we recognise our responsibility in responding to individuals’ rights. We manage this process by executing procedures in line with GDPR requirements for Data Subject Access Requests and prevention of data breaches in discharging our obligations during this process.

The right to be informed

We will inform individuals of their rights “at the point of first communication” and clearly lay this out in our privacy notices (see links below.)

The right to access

Should you wish to receive a record of the personal data that we hold about you, then we require you to contact us at the above Data Protection Office.

The right to rectification

We have implemented processes that ensure your personal data remains accurate and up to date. In the event data is deemed not accurate and you wish this data to be amended, you must contact us. You must specify which records you wish to be updated.

The right to erasure

At any time you may request that your personal data is erased from our records. We will erase all records in accordance with our storage and retention policy. You must provide details of the record you wish to be erased.

The right to restrict processing

You have the right to block or restrict the processing of your personal data. This means that we will store your personal data, but will not process it for further use. We will restrict processing under the following circumstances:

Where you contest the accuracy of the personal data, we will restrict processing until we have verified the accuracy of the personal data with you.

Where you object to the processing we will consider whether our businesses lawful basis overrides those of you as the individual. We will store the data, but will not undertake any further processing until both parties have agreed that our business use is within our lawful basis.

When processing is unlawful and the individual opposes erasure and requests restriction instead, we will store the data and will not undertake further processing. We refer you to the right to erasure policy, and will implement our erasure policy upon receiving your request.

Where we no longer need the personal data but you require the data to be retained to establish, exercise or defend a legal claim, you must state details of the record you wish to be retained. We will automatically delete personal data records in accordance with the retention policy. However, should you wish this data to be retained in order to establish, exercise or defend a legal claim, then we will store and retain this data until the legal claim has been resolved. We will inform you when we decide to lift a restriction on processing.

The right to data portability

You have the right to obtain and reuse your personal data for your own purpose. We will provide you with your personal data or move, copy or transfer that data to another business in a safe and secure way.

The right to data portability only applies to personal data you have provided to us and only where the lawful basis for processing is consent or contract.

We will provide this data to you or the business to which you require your personal data to be transferred, within one month of receiving instruction from you. However, if we decide that the data request is complex, then we will extend this time period for a further two months. Where this is the case, we will provide an explanation.

We will provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.

Where we are unable to transfer the data to another business due to technicalities or restrictions, then we will send the personal data to you for you to complete the transfer. This service will be provided free of charge.

The right to object

You have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). We will stop processing for direct marketing as soon as we receive your objection. We will stop processing from the date of receipt of your objection.

The right not to be subject to automated decision-making including profiling.

Within our professional services offering we process personal data using automated decision-making tools. These tools include our BSPI and CloudLine models. These tools are used to provide information back to data subjects and/or their employers regarding organisational development. \

Finding out more about your rights under GDPR

You can contact the ICO directly to obtain further information about your rights under GDPR. The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF. You can also contact them by telephone on 01625 545 745 or via their website at


Commercial Privacy Statement

Client, trainee and Quarto course participants Privacy Statement