We comply with the EU GDPR regarding data protection. We do not collect or process any personal data from visitors to our website. If you contact us to request a meeting or use our services, and provide us with your personal data, by providing this information you consent to us having and handling this data.
We will keep all such data according to the standards set out below.
The data privacy policy below is provided for the benefit of current and potential clients. It explains how we fulfil our obligations of the GDPR, how we process the personal data of clients, and what their rights are.
DATA PROTECTION AGREEMENT –EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation was introduced in May 2018.
LAWFUL BASIS FOR PROCESSING DATA
Before undertaking work for clients, we agree a signed contract known as a “letter of engagement”.
The processing of personal data is necessary for us to fulfil this contract.
Before agreeing this contract, we may hold your data for a short period of time because you have provided us with the data and asked us to act on your behalf but have not yet agreed the written contract.
INTENDED PURPOSES FOR PROCESSING DATA
To fulfil services agreed in your letter of engagement and comply with regulations and laws set out by English law, HMRC, anti-money laundering laws and Companies House.
SOURCE OF PERSONAL DATA
All personal data we hold will be supplied by you, the client, or your previous accountant. We do not source your personal data from anywhere or anyone else.
DATA WE HOLD AND WHO HAS ACCESS
It is necessary for us to hold and process certain personal data about our clients. This includes, but is not limited to, the following: name, date of birth, address, national insurance number, contact details, UTR and other tax reference numbers, business name and details, bank details (in cases of tax repayment requests), and details of business capital funding and personal circumstances. We do not store or process any special category data or criminal offence data.
We regularly review the data we hold for you and destroy any that is not necessary.
Data is stored securely on site and only accessed by John Leach. When sensitive information needs to be transmitted by email, such as payslips, or tax returns, these are password protected for additional security.
THIRD PARTY DATA SHARING
It is often necessary for us to share or store your personal information with third parties. Depending on which services we provide to you, these may include: HMRC, Companies House, our software providers and pension providers. We check all of our third party providers to ensure that they too comply with the GDPR.
We will not share your information with any third parties unless it is necessary in order for us to fulfil the services we have agreed to provide for you or fulfil legal obligations.
DATA STORAGE AND DESTRUCTION
HMRC require us to keep information relating to tax returns for five years after 31st January deadline of the relevant tax year. They require us to keep information relating to company returns for 6 years from the end of the last company financial year they relate to, or longer in some circumstances.
Unless you instruct us not to, we intend to destroy correspondence and other papers that we store after this date, other than documents which we think may be of continuing significance. If you require the retention of any document, you must notify us of that fact in writing.
We store all paper and electronic documentation securely and use up to date anti-virus software, and encryption to ensure that digital files are kept secure.
To ensure that we do not hold any information that is not necessary or required, we aim to return all paper documentation e.g. receipts, bank statements, invoices, to you as early as possible after we have used them for the agreed purpose, i.e. completion of your VAT return or tax return. All electronic information that you have supplied will be deleted once we have used it for the agreed purpose. You are then obliged by HMRC to keep these records for the time stated above.
YOUR RIGHTS
RIGHT TO BE FORGOTTEN – You may contact us at any time to request that all your personal data be forgotten. We have 28 days to respond to this request. This right is not absolute, and we will decide whether or not we can comply, depending on whether this request conflicts or contradicts with our existing obligations to HMRC, English law and regulatory bodies.
If you do not agree with our decision you can submit a complaint to the ICO at https://ico.org.uk.
RIGHT TO RESTRICT PROCESSING – You may contact us at any time to request restriction or suppression of your personal data so that we can store it but not process it. We have 28 days to respond to your request.
RIGHT TO TRANSFER DATA – You may request to transfer your information to a new accountant or to use yourself. If you terminate your contract with us, we will issue a “letter of disengagement”. At this time we will provide you (or your new accountant) with all the data we hold for you. The responsibility to keep this data under HMRC guidelines will then be yours.
RIGHT OF ACCESS – You may at any time request access to all the personal information that we hold for you. We will comply and send you all the information we hold about you within 28 days. This allows us an acceptable amount of time to gather the paper and electronic information and arrange to deliver it to you securely.
RIGHT TO RECTIFICATION – You may at any time request that we rectify incorrect or incomplete personal data that we hold or process for you.
DATA PROTECTION BREACH
Should we suffer a breach and your personal data is at risk, we will notify the ICO and yourself within 72 hours.
ICO REGISTRATION
We are registered with the Information Commissioner’s Office, the UK’s data protection authority. If you believe we are not protecting or processing your data correctly, or that we are not conforming to the GDPR standards, you can lodge a complaint with the ICO through their website: https://ico.org.uk
