The Data Protection officer is Mark Ashfield (DPO), who can be contacted about anything to do with your personal data and data protection, including to make a subject access request, using the following details:
Email address: [email protected]
Postal address: Highdown House, 11 Highdown Road, Leamington Spa, Warwickshire CV31 1XT
Telephone number: 01926 422 292
The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) requires organisations that process personal data to meet certain legal obligations. We are a data controller within the meaning of the Act and we process personal data.
We are committed to complying with the requirements of the DPA and GDPR. As a result we confirm that personal information we process will only be held (or otherwise processed) to the extent necessary in order to provide the agreed professional services and for any other purpose specifically agreed.
We are entering into a contract with you and will be processing data in order to fulfil our contractual obligations. In order to provide the agreed services we need to collect, retain and process personal data about you. This data is needed in order to:
If the information required is not provided, we may not be able to provide the required services which would trigger the disengagement provisions in the terms and conditions.
The personal data that we will collect and process will include:
We collect information that is supplied about you from:
We may use information we hold about you:
We will retain records based on our retention policy so that we can defend ourselves against potential legal claims or disciplinary action which can be brought within statutory time limits.
We may also use information from other people or organisations when carrying out these activities.
There is no automated decision-making involved in the use of your information and therefore no automatic data portability.
Where we use subcontractors they will comply with General Data Protection Regulation (GDPR) requirements.
Personal data may be processed on a contract basis under the engagement letter and provision of services agreements.
Personal data may be processed on a consent basis when meeting clients’ wider expectations of my/our professional relationship.
Personal data may be processed on the legal obligations and/or public interest bases in order to comply with legal requirements.
Personal data may be processed in order to further our legitimate interests.
We may transfer personal data we collect about you to the following countries; USA, Australia, New Zealand, in order to perform our contract with you.
Before agreeing to transfer data outside the UK we check to ensure that there are adequacy regulations under the Data Protection Act 2018 in relation to each country which ensures that their regulations will be deemed to provide an adequate level of protection for your personal information for the purpose of the UK Data Protection Legislation.
Where there are no adequacy regulations we have binding contractual agreement with the relevant third parties to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the UK Data Protection Legislation.
In order for us to provide the agreed services, we may provide personal data about you to:
We need to give information to these other parties in order to fulfil our contractual obligations to you and therefore it is not possible to opt out of the provision of information to these parties. If you ask us not to provide information we may need to cease to act.
If the law allows or requires during the period of our contractual arrangements or after we have ceased to act we may give information about you to:
In addition, after we have ceased to act we may give information about you to:
We have put in place appropriate and proportionate security measures to address the risk of personal data being lost, used, altered or accessed in an unauthorised way. We limit access to personal data to those who have a business need to access it, and who will only process the personal data on our instructions.
Nevertheless, no data transmission over the internet, or any other network, can ever be regarded as wholly secure, and we have in place measures to deal with any suspected breach of data security. Those measures include policies and procedures, which are periodically reviewed to ensure they are effective and fit for purpose.
When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of records relating to you as follows:
Requests to see records and other related information that the firm holds about you are known as ‘subject access requests’ (SAR). We have set out further details on SARs below.
Please provide all requests in writing to the individual at the top of this notice.
To help provide the information on a timely basis you may need to provide copies of id and proof of address.
Asking someone else to make a subject access request on your behalf
You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to do this. This is usually a letter signed by you stating that you authorise the person concerned to write to for information about you, and/or receive our reply.
The law allows us to refuse your request for information in certain circumstances – for example, if you have previously made a similar request and there has been little or no change to the data since the original request.
The law also allows us to withhold information where, for example, release would be likely to:
Where we are unable to consent to your request we will set out the reasons in writing.
Should information you have previously supplied to us be incorrect, please inform us immediately so we can update and amend the information we hold.
In certain circumstances it is possible for you to request us to erase your records and further information is available on the ICO website (www.ico.org.uk). If you would like your records to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure and if applicable we will supply you with the reasons for refusing your request.
In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. For further information refer to the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can take the appropriate action.
Where you have consented for us to contact you with details of other services we provide we may continue to process your data and contact you for that purpose after our contractual relationship ends. You may withdraw consent for the firm to contact you in relation to details of other services we provide at any time during the performance of the contract or thereafter. We will then cease to process your data but only in connection with contacting you with details of other services we provide. Note that the withdrawal of consent does not make the other bases on which we are processing your data unlawful. We will therefore still continue to process your data under the terms of our contract and for other reasons set out in this privacy notice.
The right to data portability only applies:
You may be able to request your personal data in a format which enables it to be provided to another organisation. We will respond to any requests made without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.
If you have any questions or concerns regarding our processing of personal data, please email our Data Protection Officer (see contact details above). If you are dissatisfied with the response, then you can refer to the ICO:
Information Commissioner’s Office
Telephone – 0303 123 1113 (local rate) or 01625 545 745
Website – https://ico.org.uk/make-a-complaint/
You can also complain to our professional body – Institute of Chartered Accountants in England and Wales (ICAEW).