Terms of Use
& Privacy Policy

Terms of Use

Last Updated: November 25, 2019
 
No Offer or Advice

You acknowledge that the content of this website “the site” is for general, informational purposes only and is not intended to constitute an offer to sell or buy any securities or other assets or promise to undertake or solicit business and may not be relied upon in connection with any offer or sale of securities or other assets. An offer or solicitation will be made only through a final private placement memorandum, subscription agreement and other related documents with respect to a particular investment opportunity and will be subject to the terms and conditions contained in such documents, including the qualifications necessary to become an investor. Quad-C Management, Inc. (“Quad-C,” “the Adviser,” or “we”) makes no representations that any information provided via the site is accurate, current or complete. You are solely responsible for evaluating the risks and merits regarding the use of the site and any services provided herein.

We are not utilizing the site to provide investment or other advice, and nothing on the site is to be deemed a recommendation that you buy, sell or hold any security or other investment or that you pursue any investment style or strategy. If you would like investment, accounting, tax or legal advice, you should consult with your own advisors with respect to your individual circumstances and needs.

Past Performance

The information contained on, or comments expressed on, the site may include certain prior indications of past investment performance. In considering such prior performance information, you should bear in mind that past performance is not indicative of future results, and no representation is being made that any investment will or is likely to achieve profits or losses similar to those achieved in the past, or that significant losses will be avoided. Past or targeted portfolio company characteristics may not be indicative of future portfolio company characteristics. With respect to statements made herein that state or imply Quad-C’s potential value additions or creations to a portfolio company, there can be no assurance that any such value addition or creation will ultimately be achieved as planned.

Forward Looking Statements

The contents of the site may contain forward-looking statements that are based on management’s beliefs, assumptions, current expectations, estimates, and projections about the financial industry, the economy, or Quad-C’s investments. “Forward-looking statements” can be identified by the use of forward-looking terminology such as “may,” “will,” “should,” “expect,” “anticipate,” “target,” “project,” “estimate,” “intend,” “continue,” or “believe” or the negatives thereof or other variations thereon or comparable terminology. These statements are not guarantees of future performance and involve certain risks, uncertainties and assumptions that are difficult to predict with regard to timing, extent, likelihood and degree of occurrence. Therefore, actual results and outcomes may materially differ from what may be expressed or forecasted in such forward-looking statements. Furthermore, Quad-C undertakes no obligation to update, amend or clarify forward-looking statements, whether as a result of new information, future events or otherwise.

Site Contents

All content included on the site, such as text, images, graphics, logos, articles and other materials, is the property of Quad-C or others and is protected by applicable laws. All trademarks and logos displayed on the site are the property of their respective owners, who may or may not be affiliated with Adviser. Nothing contained on the site should be construed as granting, by implication, estoppel or otherwise, any license or right to use any content or trademark displayed on the site without the written permission of Adviser or such other third party that may own the content or trademark displayed on the site. Nothing in this disclaimer shall constitute a waiver of any trademark or other intellectual property rights concerning name, logo or trademark. Please be advised that Adviser may enforce its intellectual property rights to the fullest extent of the law.

Restrictions on Use

The information, materials and other content of the Site may not be copied, displayed, distributed, licensed, modified, published, reposted, reproduced, reused, sold, transmitted, used to create a derivative work or otherwise used for public or commercial purposes without the express written consent of Adviser.  

No Warranty; Limitation of Liability

BY USING THE SITE, YOU ACKNOWLEDGE: (1) THAT YOUR USE OF THE SITE IS AT YOUR SOLE RISK; (2) THAT YOU ASSUME FULL RESPONSIBILITY FOR ALL COSTS ASSOCIATED WITH YOUR USE OF THE SITE; AND (3) THAT ADVISER SHALL NOT BE LIABLE FOR ANY DAMAGES, LOSSES OR LIABILITIES OF ANY KIND RELATED TO YOUR USE OF OR INABILITY TO USE THE SITE, INCLUDING WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, COMPENSATORY OR CONSEQUENTIAL DAMAGES, LOST PROFITS AND/OR LOSS OF OR DAMAGE TO PROPERTY WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE STRICT LIABILITY, OR ANY OTHER BASIS, EVEN IF ADVISER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL ADVISER BE LIABLE FOR ANY DAMAGES, LOSSES OR LIABILITIES, IN CONNECTION WITH YOUR RELIANCE ON OR USE OR INABILITY TO USE THE INFORMATION, MATERIALS, PRODUCTS OR SERVICES ON THE SITE, OR IN CONNECTION WITH ANY FAILURE OF PERFORMANCE, ERROR, OMMISSION, INTERRUPTION, DEFECT OR DELAY IN OPERATION OR TRANSMISSION, COMPUTER VIRUS, LINE OR SYSTEM FAILURE OR OTHER COMPUTER MALFUNCION EVEN IF ADVISER IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, LOSSES, OR EXPENSES. NEITHER ADVISER NOR ANY PARTY INVOLVED IN CREATING, PRODUCING OR DELIVERING THE SITE SHALL BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, DIRECT, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR PUNITIVE DAMAGES ARISING OUT OF ACCESS TO, USE OF OR INABILITY TO USE THE SITE, OR ANY ERRORS OR OMISSION IN THE CONTENT THEREOF. THIS LIMITATION INCLUDES DAMAGES TO, OR FOR ANY VIRUSES THAT INFECT YOUR COMPUTER EQUIPMENT. ADVISER RESERVES THE RIGHT TO ALTER OR REMOVE THE CONTENT OF THE SITE OR SUSPEND OR TERMINATE YOUR USE IN ANY WAY, AT ANY TIME, FOR ANY REASON, WITHOUT PRIOR NOTIFICATION, AND WILL NOT BE LIABLE IN ANY WAY FOR POSSIBLE CONSEQUENCES OF SUCH CHANGES.

Select Portfolio Investments

The site includes a list of select Quad-C portfolio investments, which are provided as examples of Quad-C’s investment capabilities for the benefit of management teams or other parties interested in partnering with Quad-C. No assumptions should be made that these investments were or will be profitable. Past performance should not be relied upon as an indication of future results. Past or targeted portfolio company characteristics may not be indicative of future portfolio company characteristics. With respect to statements made herein that state or imply Quad-C’s potential value additions or creations to a portfolio company, there can be no assurance that any such value addition or creation will ultimately be achieved as planned.

Source of Information

Certain information contained in the site may have been obtained from published and non­published sources, including from companies in which the Adviser funds may have invested. Such information may not have been, and in many cases, has not been, independently verified, and the Adviser does not assume responsibility for the accuracy of such information. Certain information contained herein has been obtained from published sources and/or prepared by third-parties and in certain cases has not been updated through the date hereof. All information contained herein is subject to revision and the information set forth herein does not purport to be complete.

Modifications to Content

We may, at our discretion, modify or discontinue any of the content of this site, or any portion thereof, with or without notice.

Links from Other Websites

The site may contain links to, or may be linked from, other sites that are not maintained by us and to which we have not provided permission. We do not endorse, have any responsibility for, or make any representations about, any other sites, including their products and services, content, communications and website use policies. Adviser has neither reviewed the contents of these third-party websites nor does Adviser claim any responsibility for the content or suitability of these third-party websites and Adviser makes no express or implied warranty about the accuracy, copyright compliance, legality, merchantability or any other aspect of the content of such links.  The use of third party websites is entirely at your own risk. We expressly disclaim any responsibility for your access to or use of such other sites. By accessing these links, you acknowledge that such other sites or locations are not under the control of Adviser and you agree that Adviser shall not be responsible for any information or additional links found at such site or location, or for your use of such information.

Governing Law; Dispute Resolution

You agree that your use of this site and any disputes relating to any of them shall be governed in all respects by the laws of the Commonwealth of Virginia, without giving effect to its conflict of laws principles. The failure of Adviser to act with respect to a breach of these Terms by you or others does not constitute a waiver and will not limit Adviser’s rights with respect to such breach or any subsequent breaches.

Law Applicable Based on User Location

We control and operate the site from our offices in the United States of America and any access or use of the site by you will be deemed to be at our offices in the United States.  We do not represent that the site is appropriate or available for use in other locations.  Persons who choose to access the site from locations outside of the United States of America do so on their own initiative, and are responsible for compliance with local laws, if and to the extent local laws are applicable.

Severability

If any provision of these terms shall be deemed unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions. The preceding terms and conditions represent the entire agreement between Adviser, on the one hand, and you, on the other, relating to the subject matter hereof.

Privacy Policy

Last Updated: April 28, 2020

Federal, State and Local as well as Global requirements mandate that certain financial institutions, including registered investment advisers, provide notice to  customers about their privacy policies, establish conditions under which they may disclose non-public personal information about consumers to unaffiliated third parties and restrict their ability to use consumer information received from affiliates for marketing. Quad-C (the “Firm”) is committed to (i) safekeeping personal information collected from potential, current and former investors and (ii) safeguarding against the unauthorized acquisition or use of unencrypted data or encrypted electronic data regarding each investor.

To this end, we implement, maintain, review and revise, as necessary, a comprehensive information security program. The primary objectives are to identify and assess any and all reasonably foreseeable internal and external risks to the security, confidentiality and integrity of any electronic, paper or other records containing personal information, and to evaluate and improve, where necessary, the effectiveness of current safeguards for limiting such risks.

To this end, Quad-C:

  • conducts ongoing employee training,
  • sets policies for employees relating to the storage, access and transportation of investor records and personal information,
  • reviews the scope of security measures at least annually,
  • reasonably monitors its information systems, including for unauthorized use or access, and
  • reasonably reviews and tests electronic encryption and other elements of its computer security system (including its secure user authentication protocols, secure access control measures and system security agent software).

The Firm's Chief Compliance Officer reviews all contractual relationships with third party service providers engaged by Quad-C to ensure adequate protections are in place with respect to the safeguarding of personal information.

Quad-C collects and keeps only such information that is necessary for it to provide the services requested by its investors and to administer its investors’ business with Quad-C. For instance, Quad-C may collect nonpublic personal information (such as name, address, social security number, source of funds) from investors when they complete a subscription or other form. Quad-C may also collect nonpublic personal information from investors or potential investors as a result of transactions with Quad-C, its affiliates, its investors or others.

Quad-C only shares the nonpublic personal information of its investors with unaffiliated entities or individuals (i) as permitted by law and as required to provide services to Quad-C’s investors, such as with representatives within our firm, securities clearing firms, insurance companies and other service providers of Quad-C, or (ii) to comply with legal or regulatory requirements.

Companies hired to provide support services to Quad-C are not allowed to use personal information for their own purposes and are contractually obligated to maintain strict confidentiality. When Quad-C provides personal information to service providers, it requires these providers to agree to safeguard such information, to use the information only for the intended purpose and to abide by applicable law.

Quad-C does not (x) provide personally identifiable information to mailing list vendors or solicitors for any purpose or (y) sell information relating to its investors to any outside third parties.

Only employees with a valid business reason have access to investors’ personal information. These employees are educated on the importance of maintaining the confidentiality and security of such information and are required to abide by Quad-C’s information handling practices. Quad-C employs reasonable procedures to prevent terminated employees from accessing records containing personal information.

Quad-C maintains security standards to protect investors'; information, whether written, verbal, or electronic. To that end, Quad-C restricts access to nonpublic personal information to personnel who need to know such information in order to provide services to investors. Quad-C also maintains reasonable restrictions on physical access to records containing personal information and stores such records in secure facilities.

Should an investor send Quad-C a question or comment via e-mail, Quad-C will share the investor's correspondence only with those employees or agents most capable of addressing the investor's question or concern. All written communications pertaining to such question or comment will be retained by Quad-C until such time as Quad-C believes (in its good faith judgment) that it has provided the investor with a complete and satisfactory response. After that time, Quad-C will archive it according to the requirements of applicable securities laws.

Please note that, unless expressly advised otherwise, Quad-C's e-mail facilities do not provide a means for completely secure and private communications. Although every attempt will be made to keep investor information confidential, from a technical standpoint, there is still a risk. For that reason, investors should be advised not to use e-mail to communicate information to Quad-C that is considered to be confidential. Investors should also be advised that, if they wish, communications with Quad-C may be conducted via telephone, facsimile or secure email and that additional security is available to investors if they equip their Internet browser with 128-bit “secure socket layer” encryption, which provides more secure transmissions.

Quad-C recognizes and respects the privacy concerns of its potential, current and former investors. Quad-C is committed to safeguarding this information. As a member of the financial services industry, Quad-C provides this Privacy Policy for informational purposes to investors and employees and will distribute and update it as required by law. The Privacy Policy is also available upon request.

Quad-C imposes reasonable disciplinary measures, which may include termination, for violations of its Privacy Policy.

General Data Protection Regulation Policy

The General Data Protection Regulation ("GDPR" - EU 2016/679) came into effect on May 25, 2018, and replaced the Data Protection Directive (95/46/EC).

The GDPR applies to all firms that process personal data for European Domiciled persons.

Although Quad-C has previously been subject to, and has complied with, data protection requirements, the GDPR sets higher requirements on the obligations of firms and the processing of personal data for European Domiciled persons. The regulatory body that is responsible for implementing and enforcing GDPR is the Information Commissioner’s Officer (“ICO”).

Applicability to Quad-C

Personal data is any information relating to an identified or identifiable European natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a file reference etc. Processing includes, but is not limited to, collecting, storing and using personal data. For the purposes of the GDPR, Quad-C will be primarily a ‘data controller’ but will also process personal data.

This policy sets out Quad-C's policy for adherence to the GDPR and expected behaviors and applies to all Quad-C employees and outsourced service providers when personal data is processed. Unless specified to the contrary, any reference to Quad-C processing data can also be read to refer to third parties that process data on behalf of Quad-C.

Data Collection

Personal data can be collected by Quad-C in respect of:

  • Clients/investors (either actual or proposed)
  • Firms providing services to Quad-C

All personal data will be collected and processed in accordance with the ‘lawfulness of processing’ (‘legal basis’) obligations under the GDPR. Generally, personal data relating to clients/investors will be for the purposes of ‘legitimate interests.’ However, each case will be considered and determined in line with the ‘lawfulness of processing’ requirements. Where deemed appropriate e.g. for marketing purposes, then freely given specific consent will be requested. 

For these purposes ‘freely given’ means that the individual has made a positive decision to consent to the processing of their personal data.  As such, a pre-ticked box or a general statement etc. that consent is assumed will not be deemed to be freely given.

Where the provision of a service is conditional on consent being given to the processing of personal data that is not necessary for the provision of that service e.g. a requirement to consent to the receipt of marketing material then this will not be deemed to be freely given.

Personal data will be retained no longer than is necessary for the purposes for which it processed, subject to any legal or regulatory obligations imposed upon Quad-C.

Informing Data Subjects

When personal data is collected directly from the data subject then that individual will be provided with the information required under the GDPR at the time the personal data is collected. This includes a copy of the Firm’s Privacy Notice.

Where personal data is collected from someone other than the data subject then the latter will be informed of this in accordance with GDPR requirements.

Limitation of Data Collected and Purpose

The collection of personal data by Quad-C will be limited to that necessary for:

  • Providing services, including administration services, to clients/investors
  • Marketing, including newsletters

Special categories of data (“sensitive data”)

The GDPR imposes further requirements on the processing of sensitive data.  Such personal data includes ethnic origin, political opinions, criminal convictions and offences etc.  Quad-C neither collects nor processes such personal data.

Data Transfers

Quad-C makes use of services provided by various third parties (“outsourcing”).

Due diligence on these providers has been undertaken by Quad-C to ensure they are able to meet the standards expected by Quad-C. Some of these entities will be involved in the transfer of, and the processing of, personal data on behalf of the firm and as such will be “data processors.”

For such firms, the due diligence performed by Quad-C will include a review of the procedures and processes developed to ensure compliance with the GDPR and the security of personal data processed.  In addition, processing of personal data will be governed by a contract whose terms are in accord with that specified in GDPR.

Right of Data Subjects

The GDPR provides data subjects with the following rights:

  • An individual has the right to require ‘without undue delay’ rectification of inaccurate personal data (“right to rectification”).
  • An individual has the right to be forgotten, subject to the limited circumstances set out in GDPR, including when consent is withdrawn (“right to erasure”).
  • An individual has the right to restrict processing of personal data in certain circumstances including where the accuracy of the data is contested by the individual (“right to restriction of processing”).
  • An individual has the right to receive personal data concerning the individual and the right to have it transmitted to another data controller (“right to data portability”).
  • An individual can object to the processing of personal data which is being processed on the basis of ‘legitimate interest’ unless the controller demonstrates compelling legitimate grounds.  Where the processing is for direct marketing purposes then the controller must desist from any further processing for these purposes (“right to object”).
  • An individual has the right not to be subject to a decision based solely upon automated processing or profiling.

Not all of the above rights will be applicable to Quad-C business model e.g. ‘profiling’ and nor are they absolute e.g. the right to be forgotten will not apply to the extent that the processing is in compliance with a legal obligation. Quad-C will consider any such requests from data subjects on a case-by-case basis.

Communication with Data Subjects

Information provided to data subjects, whether as a result of the exercise of a data subject’s rights or when informing the individual that their personal data is being collected and its purpose, will be free of charge. However, where such requests are excessive or manifestly unfounded then Quad-C reserves the right to charge a reasonable fee.

Data Protection Officer

The appointment of a “Data Protection Officer” (DPO) is required for those firms that process large amounts of sensitive data or that undertake regular and systematic monitoring of data subjects.  As such this obligation does not apply to Quad-C.

The firm has appointed the CCO to:

  • Implement GDPR.
  • Oversee the firm’s continuing compliance with GDPR.
  • Act as the focal point for the notification of any personal data breaches.
  • Act as the firm’s contact person with the ICO.

Personal Data

Although this Policy is based upon the firm’s responsibilities under GDPR, all members of staff have a role to play in ensuring that Quad-C complies with these responsibilities.

While the GDPR provides for the imposition of administrative fines for breaches of its obligations of up to €20m (or 4% of worldwide total turnover if higher) it is also, under UK law, an offence for a person to obtain, disclose or retain personal data without the consent of the controller.

Any personal data breach(es) must be immediately reported to the CCO.  Where possible, such notifications should include:

  • The nature of the breach including categories and approximate number of data subjects concerned and data records concerned.
  • A description of the likely consequences of the personal data breach.
  • A description of any measures taken, or proposed, to address the data breach.
  • The firm is required to notify the ICO within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result to result in a risk to the rights and freedoms of natural persons.

Where it is deemed that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons then the data subjects must also be notified “without undue delay”. Exceptions to this requirement include:

  • When the data affected is e.g. encrypted so that the data is unintelligible to persons not authorized to access it;
  • If it would involve disproportionate effort, in which case a public communication, or similar measure, will be required; and
  • Where subsequent measures are taken to ensure that the high risk to the rights and freedom of data subjects is no longer likely to materialize.

The CCO will document and assess the breach to determine the need to alert data subjects and/or the ICO.  An assessment will also be made of the need to inform the ICO as the supervisory authority for Quad-C’s day-to-day activities.

Cayman Islands Data Protection Law 2017 Policy

Similar to, and based upon, the GDPR, the Cayman Islands Data Protection Law, 2017 (the “DPL”) is designed to regulate the processing of all personal data in the Cayman Islands and is enforced by the Office of the Ombudsmen (the “Ombudsmen”). The DPL applies to all entities that are established in the Cayman Islands or that process data there. The DPL therefore applies to Quad-C’s Cayman funds.

“Personal Data” is defined broadly to include any data relating to a living individual. Personal Data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual “Data Subject” in advance.​ The DPL gives individuals the right to access Personal Data held about them and to request that any inaccurate data be corrected or deleted. 

Similar to the GDPR, “Data Controllers” are defined as a person, firm or company who, alone or jointly with others, determines the purposes, conditions and manner in which any Personal Data is, or will be, processed. In an investment fund context, this would be the fund entity and, in some cases, the investment manager. Similarly, a “Data Processor” is a person, firm or company that processes Personal Data on behalf of the Data Controller but does not include an employee of the Data Controller.

Eight Data Principles

  • A data controller must comply with the following eight data protection principles.
  • Lawfulness, Fairness and Transparency. Personal Data shall be processed fairly. In addition, Personal Data may be processed only subject to certain conditions for lawful processing is met. Data Subjects also have the right to be informed.
  • Purpose Limitation. Personal Data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Data Minimization. Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
  • Accuracy. Personal Data shall be accurate and, where necessary, kept up to date.
  • Storage Limitation. Personal Data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  • Data Subject Rights. Personal Data shall be processed in accordance with the rights of Data Subjects under the DPL.
  • Integrity, Confidentiality and Security. Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
  • Cross-border Transfer. Personal Data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.

Conditions for lawful processing of personal data

Personal data cannot be processed unless at least one of these conditions is met.

  • Consent. The Data Subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests.
  • Contract. The processing is necessary for the performance of a contract to which the individual Data Subject is a party; or the taking of steps at the request of the Data Subject with a view to entering into a contract. This condition does not apply to processing of an individual’s details who is not party to the contract.
  • Legal obligation. The processing is necessary for compliance with any legal obligation to which the Data Controller is subject, other than an obligation imposed by contract. The Ombudsman regards a “legal obligation” to refer to an obligation applicable under Cayman Islands law.
  • Vital interests. The processing is necessary to protect the vital interests (generally understood to mean matters of life and death) of the Data Subject.
  • Public functions. The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person.
  • Legitimate interests. The processing is necessary for the purposes of legitimate interests pursued by the Data Controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.

Cross-border Transfer

Pursuant to the eighth data protection principle, Cross-border Transfer, Personal Data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Countries regarded as ensuring an adequate level of protection includes the United States.

The DPL sets out certain transfers to which the prohibition of Cross-border Transfer of Personal Data under the eighth data protection principle does not apply:

  • Consent. The Data Subject has consented to the transfer. The comments in relation to consent as a possible lawful basis of processing apply equally to Cross-border Transfer.
  • Contract performance. The transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the taking of steps at the request of the Data Subject with a view to the Data Subject’s entering into a contract with the Data Controller.
  • Contract conclusion. The transfer is necessary for the conclusion of a contract between the Data Controller and a person other than the Data Subject, being a contract that is entered into at the request of the Data Subject, or is in the interests of the Data Subject; or the performance of such a contract.
  • Public interest. The transfer is necessary for reasons of substantial public interest.
  • Legal claim. The transfer is necessary for the purpose of, or in connection with, any legal proceedings, for the purpose of obtaining legal advice; or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  • Vital interests. The transfer is necessary in order to protect the vital interests of the Data Subject.
  • Public register. The transfer is part of the Personal Data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer.
  • Approved terms. The transfer is made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the rights and freedoms of Data Subjects.
  • Authorized transfer. The transfer has been authorized by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of Data Subjects.
  • International cooperation arrangements. The transfer is required under international cooperation arrangements between intelligence agencies to combat organized crime, terrorism or drug trafficking.

Rights of Data Subjects

The DPL sets out a number of rights of individual Data Subjects.

  • Individuals have the right to access their own Personal Data and receive information about its use. To do so, individuals must make a subject access request (SAR) in writing. A Data Controller has 30 days to respond to a request and cannot impose a fee to deal with a request except in exceptional circumstances.
  • Individuals have a right to have inaccurate Personal Data rectified, blocked, erased or destroyed.
  • The DPL introduces a right for individuals to demand that processing cease. However, this right is not absolute.
  • The DPL introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.
  • Where a decision is made solely by automated means (without human involvement), an individual has the right to require that it be reconsidered on a different basis.
  • An individual has the right to complain to the Ombudsman about any perceived violation of the DPL, and to seek compensation for damages in the courts.

Data privacy notice

Personal Data shall not be treated as processed fairly unless the Data Subject has, as soon as reasonably practicable, been provided with, at a minimum, the identity of the Data Controller and the purpose for which the data are to be processed. The term “as soon as reasonably practicable” means at the time Personal Data is gathered. Therefore Quad-C’s will typically include a “DPL Privacy Notice” within its subscription agreement or equivalent.

Data security, integrity and confidentiality

Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. Compliance with the DPL overlaps to a significant degree with Quad-C’s Regulation S-P compliance and cybersecurity measures.

Personal data breaches

A “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed. A Data Controller must notify the Ombudsman and the affected Data Subject(s) of a Personal Data Breach without undue delay (but no longer than five (5) days after the Data Controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the Data Controller to address it and the measures recommended to mitigate the possible adverse effects of the breach.

Quad-C’s has a plan for dealing with how a breach would be identified and handled in practice and has robust breach detection, investigation and internal reporting procedures in place.

Appointment of a Data Protection Officer

The DPL does not require the appointment of an official data protection officer. However, since Quad-C’s has appointed a DPO for purposes of GDPR compliance, Quad-C’s DPO will also be responsible for the Firm’s compliance with the DPL.