The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data.
Sarah Place Accountants Limited is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows: Unit 4B, Boldero Road, Bury St Edmunds, Suffolk, IP32 7BS. Telephone: 01284 747139. Email: firstname.lastname@example.org
We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.
Where we act as a data processor on behalf of a data controller (for example, when processing payroll), we provide an additional schedule setting out required information as part of that agreement. That additional schedule should be read in conjunction with this privacy notice.
The purposes for which we intend to process personal data
We intend to process personal data for the following:
To enable us to supply professional services to you as our client.
To fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).
To comply with professional obligations to which we are subject as a member of the ATT.
To use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.
To enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen.
The legal bases for our intended processing of personal data
Our intended processing of personal data has the following legal bases:
At the time you instructed us to act, you gave consent to our processing your personal data for the purposes listed.
The processing is necessary for the performance of our contract with you.
The processing is necessary for compliance with legal obligations to which we are subject (e.g. MLR 2017).
It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.
For individuals, we collect the client’s full name and title, marital status, gender, home address, date of birth, National Insurance number, Unique Taxpayers Reference, email address(es), mobile and home telephone numbers.
For businesses, incorporated or otherwise, which may also include individuals, we collect the business name and address, business and mobile telephone numbers, email address, Government Gateway username and passwords and, at times, HMRC shared secrets , VAT registration number and quarter dates, PAYE reference and PAYE accounts office reference, and the business accounts year end.
We collect for each individual and business client their main banker and related account number and sort code.
For incorporated businesses, we also collect their Registered Office address, date of incorporation, Companies House number and Companies House authentication code.
We collect other information about our clients e.g. the source of the introduction, the date they became a client and the date of our engagement letter.
Not all of the personal information Sarah Place Accountants Limited holds about clients will always come directly from clients. Some data is provided to us about clients from third parties e.g. HMRC, Companies House or other accountants e.g. when they provide professional clearance and transfer of information on change of appointment.
Persons/organisations to whom we may give personal data
We do not share client data with third parties for marketing purposes.
We do not share or pass client details to another organisations unless this is required as part of our agreed services. The main organisations that we will provide such details to are H M Revenue & Customs (HMRC) and Companies House. Any information passed to them is provided solely in order to provide our agreed client services e.g. completion of Financial Statements, Tax Returns, payrolls etc.
Any information that we do share with another organisation will be in a way that clients would expect of us and where we have client authority, either expressly given or implied through the context of the data shared e.g. provision of financial data about the client to a potential loan provider to the client.
Data about clients is only given to law enforcement agencies when we are legally required to do so.
We will never sell client data and we promise to keep such details safe and secure to the best of our ability. At times, third parties e.g. loan providers or property rental businesses, or their appointed agents, may request details about clients. We will only provide information to these types of organisations if we have client authority to do so.
Client data is never passed to advertisers or other organisations to promote their own services to our clients.
Retention of personal data
When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of our records relating to you as follows:
where tax returns have been prepared it is our policy to retain information for 7 from the end of the tax year to which the information relates.
where ad hoc advisory work has been undertaken it is our policy to retain information for 6 years from the date the business relationship ceased.
where we have an ongoing client relationship, data which is needed for more than one year’s tax compliance (e.g. capital gains base costs and claims and elections submitted to HMRC) is retained throughout the period of the relationship, but will be deleted 6 years after the end of the business relationship unless you as our client ask us to retain it for a longer period.
Our contractual terms provide for the destruction of documents after 7 years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.
You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us. Documents and records relevant to your tax affairs are required by law to be retained by you as follows:
Individuals, trustees and partnerships
with trading or rental income: five years and 10 months after the end of the tax year;
otherwise: 22 months after the end of the tax year.
Companies, LLPs and other corporate entities
six years from the end of the accounting period.
Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller.
Requesting personal data we hold about you (subject access requests)
We respect our clients’ right to access and control their data, and we will respond to requests for information and, where applicable, will correct, amend, or delete such personal information. Clients may have the right to request deletion of their personal data. However, this is not always possible due to legal requirements and other obligations and factors.
If clients request access to their personal data, we will gladly comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. We may charge a fee for providing a copy of client data, except where this is not permitted under the law.
If we hold any information about clients which is incorrect, or if any changes to the details held are required, then clients should let us know so that we can keep our records accurate and up to date.
Clients should write to us at our Registered Office address regarding the data that we hold about them.
Deleting your records (the right to erasure)
In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request.
The right to restrict processing and the right to object
In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can consider what action, if any, is appropriate.
Withdrawal of consent
Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.
the withdrawal of consent does not affect the lawfulness of earlier processing
if you withdraw your consent, we may not be able to continue to provide services to you
even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data)
Data Protection Officer
We have appointed Sarah Place to be the person responsible for data protection within the firm. Clients should contact her in writing at the firm.