GDPR Compliance Statement

How we protect your rights under data protection law

Our Commitment to Data Protection

Fabled Quarry Limited takes data protection seriously and is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a financial services firm, we handle sensitive personal and financial information with the utmost care and in accordance with applicable regulations.

Data Controller Information

For the purposes of data protection law, Fabled Quarry Limited is the data controller responsible for your personal information. Our contact details are:

Fabled Quarry Limited
45 Chancery Lane
London WC2A 1JE
United Kingdom
Email: [email protected]

Principles of Data Processing

We adhere to the core principles of GDPR in all our data processing activities. Your personal data will be:

  • Processed lawfully, fairly, and transparently: We only collect and use your data for legitimate purposes and with appropriate legal justification
  • Collected for specified, explicit purposes: We clearly communicate why we need your information
  • Adequate, relevant, and limited: We only collect data that is necessary for our stated purposes
  • Accurate and kept up to date: We take reasonable steps to ensure information is correct and current
  • Retained only as long as necessary: We maintain data only for the required period
  • Processed securely: We implement appropriate technical and organisational safeguards

Types of Personal Data We Process

In the course of providing financial planning and wealth management services, we process various categories of personal data:

Standard Personal Data

  • Identification information (name, date of birth, national insurance number)
  • Contact details (address, email, telephone)
  • Financial information (income, assets, liabilities, investment accounts)
  • Employment and professional details
  • Family and relationship information

Special Category Data

In some circumstances, we may process special category (sensitive) personal data, including health information when relevant to insurance or protection planning. We only process such data with your explicit consent or where permitted by law.

Lawful Basis for Processing

We process personal data only when we have a valid legal basis, which may include:

Performance of Contract

Processing is necessary to deliver the financial planning and investment services you have engaged us to provide. This includes analysing your financial situation, developing recommendations, implementing strategies, and managing your investments.

Compliance with Legal Obligations

As a firm authorised by the Financial Conduct Authority, we must process certain personal data to comply with regulatory requirements, including:

  • Client identification and verification (Know Your Customer)
  • Anti-money laundering checks
  • Record-keeping requirements
  • Regulatory reporting obligations

Legitimate Interests

We may process data based on our legitimate business interests, such as:

  • Maintaining and improving our services
  • Ensuring network and information security
  • Internal administration and business development
  • Fraud prevention and detection

We carefully balance our interests against your rights and will not process data in ways you would not reasonably expect.

Consent

Where required, we obtain your explicit, informed consent before processing your data. You may withdraw consent at any time, though this may affect our ability to provide certain services.

Your Data Protection Rights

Under GDPR, you have comprehensive rights regarding your personal information:

Right of Access

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month of your request, along with information about how we use your data.

Right to Rectification

If you believe any information we hold is inaccurate or incomplete, you can ask us to correct or complete it. We will respond within one month and notify any third parties to whom we have disclosed the data.

Right to Erasure

You may request deletion of your personal data in certain situations, such as when it is no longer needed for the original purpose. However, this right is limited by our legal and regulatory obligations to retain certain records.

Right to Restriction of Processing

You can ask us to suspend processing of your data in specific circumstances, such as when you contest its accuracy or object to processing based on legitimate interests.

Right to Data Portability

Where technically feasible, you can receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use fully automated decision-making processes.

Exercising Your Rights

To exercise any of your data protection rights, please contact us in writing at:

Email: [email protected]
Post: 45 Chancery Lane, London WC2A 1JE

We will verify your identity before processing your request to ensure we protect your information from unauthorised disclosure. We aim to respond to all valid requests within one month, though complex requests may take up to three months with appropriate notification.

Data Security Measures

We implement stringent security measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage:

  • End-to-end encryption for data transmission and storage
  • Multi-factor authentication for system access
  • Regular security audits and vulnerability assessments
  • Strict access controls limiting data access to authorised personnel only
  • Employee training on data protection and security practices
  • Secure disposal procedures for obsolete data

International Data Transfers

We primarily process and store your data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by the UK authorities
  • Binding corporate rules for transfers within multinational organisations

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps being taken
  • Implement measures to mitigate potential adverse effects

Data Protection Officer

While not legally required to appoint a Data Protection Officer, we have designated a senior staff member responsible for overseeing data protection compliance and handling related enquiries. You can contact them at [email protected].

Record Retention

We retain personal data in accordance with regulatory requirements and our legitimate business needs:

  • Client files: Minimum 6 years after the end of the client relationship (FCA requirement)
  • Enquiry records: Up to 3 years from last contact
  • Financial transaction records: Up to 7 years for tax purposes
  • Some records may be retained longer to address potential disputes or legal claims

When retention periods expire, we securely delete or anonymise personal data in accordance with our data retention schedule.

Third-Party Processors

We engage carefully selected third-party service providers who process personal data on our behalf. These processors are contractually bound to:

  • Process data only according to our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist us in meeting GDPR obligations
  • Delete or return data when services end

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our practices or legal requirements. Material changes will be communicated to clients directly, and the updated statement will be posted on our website.

Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

However, we encourage you to contact us first so we can address your concerns directly.

Questions and Contact

If you have questions about GDPR compliance or how we process your personal data, please contact us at [email protected]. We are committed to transparency and will gladly explain our practices in more detail.