GDPR: DATA PRIVACY NOTICE FOR CLIENTS AND SUPPLIERS
UKtaxadvisors.com Ltd (“We”) are committed to protecting and respecting your privacy.
This policy (together with our terms of engagement and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
UKtaxadvisors.com Ltd is a trading name of Churchill Taxation Ltd.
Data controller – A controller determines the purposes and means of processing personal data.
Data processor – A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Who are we?
UKtaxadvisors.com Ltd is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: UKtaxadvisors.com Ltd, 835 Birmingham New Road, Dudley, West Midlands, DY4 8AS, 01902 674492. For all data matters contact Stephanie Churchill on Stephanie.email@example.com.
- The purpose(s) of processing your personal data
We use your personal data for the following purposes:
- Processing and completing annual tax returns, registration with HMRC for self-assessment;
- Liaising with HMRC in relation to your personal tax affairs including HMRC enquiries;
- Processing payroll where instructed;
- Tax advice, preparation of reports;
- Registration of Trusts with HMRC and associated updates;
- Registration of New Companies with Companies House;
- Invoicing you for services performed;
- Retaining our accounting records for HMRC;
- For the purposes of implementing our credit control procedures;
- To fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).
- To comply with professional obligations to which we are subject as a member of Chartered Institure of Taxation and Association of Accounting Technicians.
- To use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.
- To enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen.
- The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
- Personal data – name, address, email address, date of birth, National Insurance Number, Unique Taxpayer Reference, financial information, phone number and photographs.
We have obtained your personal data from you and H M Revenue & Customs.
- What is our legal basis for processing your personal data?
- Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
|☐ Consent of the data subject;|
|☐ Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract||ENGAGEMENT LETTER|
|☐ Processing necessary for compliance with a legal obligation||MONEY LAUNDERING REGULATIONS 2007|
|☐ Processing necessary to protect the vital interests of a data subject or another person|
|☐ Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller|
|☐ Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject||Investigating / Defending legal claims made against UKtaxadvisors.com Ltd|
- Sharing your personal data
Your personal data will be treated as strictly confidential, and we will only share personal data with others when we are legally permitted to do so.
We may share your personal data with:
- any third parties with whom you require or permit us to correspond
- an alternate appointed by us in the event of incapacity or death
- tax insurance providers
- professional indemnity insurers
- our professional body Chartered Institute of Taxation and Association of Accounting Technicians and / or the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS) in relation to practice assurance and/or the requirements of MLR 2017 (or any similar legislation)
We also use third parties to support us in providing our services to help provide, run and manage our internal IT systems. Examples include cloud based tax and accounting software and identity management. The servers facilitating that cloud infrastructure are located in secure data centres around the world and personal data may be stored in any of these. The third party providers we currently use for such services are detailed below:
|Taxcalc, Acorah Software Products Ltd||Software and cloud services||Rubra One, Mulberry Business Park, Fishponds Road, Wokingham RG41 2GY|
|Microsoft 365||Business applications (email, word, document management)||Microsoft Campus, Thames Valley Park, Reading, RG6 1WG|
|Kashflow Software||Software and cloud services||Ivybridge House, 1 Adam St, London WC2N 6LE|
|Toggl||Software and cloud services||Tartu maantee 25, Tallinn, Estonia|
|First Corporate Law Services||Software and cloud services||16 Churchill Way, Cardiff CF10 2DX|
|The Payroll Site||Software and cloud services||CP House, Otterspool Way, Watford, Herts, WD25 8HP|
|Dropbox||Cloud services and document management||Dropbox Headquarters 185 Berry St. Ste. 400 San Francisco, CA 94107|
|GoCardless||Cloud services||Sutton Yard, Goswell Rd, London EC1V 7EN|
|Docusign Inc||Document management and distribution||Broadgate Quarter, 9 Appold Street, 2nd Floor, London
|Creditsafe||Software and cloud services||Van Rd, Caerphilly CF83 3GR|
|Veriphy Ltd||Software and cloud services||68 Jesmond Rd W, Newcastle upon Tyne NE2 4PQ|
|Inksmoor Finance Group Ltd||Credit control services||Oak House, Bromyard Rd, Worcester WR2 5HP|
If the law allows or requires us to do so, we may share your personal data with:
- the police and law enforcement agencies
- courts and tribunals
- the Information Commissioner’s Office (“ICO”)
We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties we may need to cease to act.
- How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary and we only retain your data for the following purposes and use the following criteria to determine how long to retain your personal data:
Where the data is held for the purposes of establishing your identity under the Money Laundering Regulations 2007, we are required by law to hold this information until the fifth anniversary of the date that our business relationship terminates. Our business relationship will be considered terminated by us if a disengagement letter has been issued, or you have advised us in writing that our services are no longer required.
We are required to keep accounting records for six financial years after the accounting period in which our business relationship terminates. We will therefore need to retain your name, address and contact details until this date in order to satisfy our record keeping requirements imposed by HMRC.
Our contractual terms provide for the destruction of documents after 7 years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.
You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us. Documents and records relevant to your tax affairs are required by law to be retained by you as follows:
Individuals, trustees and partnerships
- with trading or rental income: five years and 10 months after the end of the tax year;
- otherwise: 22 months after the end of the tax year.
Companies, LLPs and other corporate entities
- six years from the end of the accounting period.
Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller at the termination of the contract.
- Providing us with your personal data
We require your personal data as it is a statutory requirement necessary to enter into a contract with you. We also require your personal data in order to fulfil our contract with you.
- Requesting personal data we hold about you (subject access requests)
You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”).
Please provide all SARs in writing marked for the attention of Stephanie Churchill.
To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:
- your date of birth
- previous or other name(s) you have used
- your previous addresses in the past five years
- personal reference number(s) that we may have given you, for example your national insurance number, your tax reference number or your VAT registration number
- what type of information you want to know
If you do not have a national insurance number, you must send a copy of:
- the back page of your passport or a copy of your driving licence; and
- a recent utility bill.
DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).
We will not charge you for dealing with a SAR.
You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.
Where you are a data controller and we act for you as a data processor (e.g. by processing payroll), we will assist you with SARs on the same basis as is set out above.
- Putting things right (the right to rectification)
You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed. Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.
- Deleting your records (the right to erasure)
In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request.
- The right to restrict processing and the right to object
In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can consider what action, if any, is appropriate.
- Obtaining and reusing personal data (the right to data portability)
In certain circumstances you have the right to be provided with the personal data that we hold about you in a machine-readable format, e.g. so that the data can easily be provided to a new professional adviser. Further information is available on the ICO website (www.ico.org.uk).
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means
We will respond to any data portability requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.
- Withdrawal of consent
Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.
- the withdrawal of consent does not affect the lawfulness of earlier processing
- if you withdraw your consent, we may not be able to continue to provide services to you
- even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data)
- Transfer of Data Abroad
We may transfer the personal information that we collect from you to a destination outside of the UK and, in some cases, outside of the European Economic Area (EEA) if necessary for the processing purposes we have described above (including where we transfer your personal information to third parties). By submitting your personal information, you agree to this transfer, storing or processing.
We will ensure, where your personal information is transferred to third parties or outside of the EEA, that appropriate measures are in place to protect your personal information and ensure that it is processed in accordance with the Act at all times.
- Automated Decision Making
We do not use any form of automated decision making in our business.
- Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
- How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our Data Protection Officer on Stephanie.firstname.lastname@example.org.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.