1 Our legal obligations
As an organisation, we have to comply with the provisions of the General Data Protection Regulation (“GDPR”) when processing personal data about our employees, our suppliers and our customers. In broad terms, this means that we have to comply with the Act when we keep personal data in a computer or in certain filing systems and when we obtain, use and disclose such data.
The GDPR requires us to:
- declare the basis on which data is stored (data can be stored under multiple bases) and what the rights are for each basis
- process (and store) data in a lawfull, fair, accurate, timely and transparent manner that is required for the running of the business only
- remove data that is no longer required for the purpose for which it was collected as soon as possible
- notify the office of the UK data commissioner as soon as possible after a breach and
- to appoint a Data Protection Office ("DPO") to ensure that the principals of the GDPR is adhered to.
The GDPR describes the following types of sensitive personal data as in “special categories of personal data”: information concerning racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and commission or alleged commission of any offence. Quru does not store any such sensitive personal data and the company will not ask for it. Should you be asked for any such information by any employee or office of Quru then such a request is for their personal interest only, is nothing to do with Quru and, of course, you should consider carefully if you provide any answers.
1.1 The bases under which data is stored
Quru stores personal data under two bases:
- Consent and
Data held under the Contract basis is that which is needed to complete our contractual obligations with the individual, whether an employee, supplier or customer. This will include name and address details, information about the service covered under the contract and any supplementary information about the individual that might be legally necessary in the completion of the contract. This might, for example, include payroll details, appraisals and communications between the company and the individual concerning the contract in place.
All other information is deemed to have been voluntarily given to the company and is stored on the consent basis.
2 How and where data is stored
Data is stored in a number of places according to the type of data.
|Supplier information||In our ERP system and in paper records|
|Purchaser information||In our ERP system, in our CRM system and in paper records|
|Lead information||In our CRM system|
xTuple is Quru’s ERP system and is used for purchase and sales order processing. Information is only added to xTuple when a contract for purchase or sale has been undertaken or when a quotation is made or received. The xTuple data is held in an unencrypted PostgreSQL server in Quru’s server farm. It is also replicated the Quru’s DR servers.
ZoHo is a CRM as a service. It is used to hold a leads and details of any potential or actual purchaser. Data is stored by ZoHo in their own servers.
Paper records are generally stored in Quru’s filing cabinets but contracts for employment and sealed letters of intent for Quru’s life assurance scheme are held in Quru’s registered office.
2.1 Data storage
Data stored on the Consent basis will be stored only for as long as it is necessary. Such information given by employees will only be stored whilst they are employees. Information given by suppliers will be held whilst they continual to be suppliers. Information given by customers and potential customers will be held whilst there is a likelihood that they will be customers in the future.
Data stored on the Contract basis will be stored for up to 7 years after the last contractual obligation was completed.
3 Data transparency and removal
Employees are able to see any of the data pertaining to themselves and can request to see any printed material by requesting either a Director or the HR administrator.
Employees are free to remove any data given on the Consent basis at any time but do so knowing that this might impact the companies ability to contact them or their emergency contacts. Employees may request the removal of any paper work containing only information given on the Consent basis through either a Director or the HR administrator. Such paper records will be given to the employee within 3 working days of any such request.
Customers, potential customers, suppliers and potential suppliers may request to be informed of any data pertaining to themselves as individuals by emailing a request to [email protected] and all details will be provided within 10 working days.
Customers, potential customers, suppliers and potential suppliers may request the removal of any data provided on the Consent basis my emailing a request for this to be done to [email protected] and such data will be deleted within 10 working days and confirmed in email to the requester.
4 Data Protection Officer
Quru’s data protection officer is Roland Whitehead and he can be contacted at [email protected]
5 Obligations on employees
It is the responsibility of all employees of Quru to ensure that any information about themselves is accurate and up to date.
It is the responsibility of any employee in contact with any supplier, customer, potential supplier or potential customer to ensure that they check data held about such individuals and ensure that it is up to date and still required at least once a year.