Data Protection & Privacy Policy

Anti Money Laundering Legislation (AMLR)

All accountancy service providers must comply with the Proceeds of Crime Act 2002, the Terrorism Act 2000 and the Money Laundering Regulations 2017 (the “Anti Money Laundering Legislation”), which are intended to stop the activities of terrorists and other criminals by preventing them using accountancy services. If we do not comply with this legislation, we risk imprisonment.

Before we can act for your company, we have to confirm the identity of the people with significant control over your business (PSC's). At any time we may also need to obtain evidence confirming the identities of third parties, the source of any money or funding of property or other assets, and other matters.

We assume that our clients are honest and law abiding. However, if at any time we have grounds to suspect that crime is being committed, we are obliged to make a report to the National Crime Agency (NCA). We are prohibited by the legislation from telling you that we have done this. In such circumstances, we cannot do any work for your company without consent from NCA.

‘Criminal property’ is money, property, other assets, rights or any benefit derived from criminal activity. Activity is considered ‘criminal’ if it is a crime under UK law, no matter how trivial. Tax evasion is a criminal offence but an honest mistake is not.

It does not matter who carried out the criminal activity. Even if you are honest in your dealings, if your property represents a benefit from someone else’s crime, we must still make a report.

Disclaimer: We will not be liable for any loss suffered by you or any third party as a result of our compliance with the Anti Money Laundering Legislation or any UK law.

DATA PROTECTION

In this section:

• Data Controller, Data Processor, Data Subject, Personal Data, Personal Data Breach, international organisation and processing shall have the respective meanings given to them in the Data Protection Laws (and related expressions shall be construed accordingly).

• Data Protection Laws means any applicable law relating to the processing, privacy and use of Personal Data including: the General Data Protection Regulation (EU) 2016/679 (GDPR); and any laws which implement such laws; any laws that replace, extend, re-enact, consolidate or amend any of the foregoing (provided that the impact of any such replacement, extension or amendment is agreed in writing by the parties).

• Protected Data means Personal Data received from or on behalf of you or otherwise obtained in connection with the performance of our obligations under any letter of engagement or agreement between us.

• Sub-Processor means any agent, sub-contractor or other third party engaged by us (or by any other Sub-Processor) for carrying out any processing of the Protected Data.

Compliance with Data Protection Laws

In the provision of the services to you, we are required to process your personal data and the personal data (and in some cases special categories of data) of your employees.

Where we are processing your employees’ personal data on your behalf, you are the Data Controller and we are the Data Processor. We shall process Protected Data in compliance with the obligations placed on it under any letter of engagement or agreement between us.

You shall at all times comply with the Data Protection Laws in connection with the processing of Protected Data. You confirm that that you are entitled to transfer the Protected Data to us and any Sub-Processor in compliance with the Data Protection Laws and shall ensure all instructions given by you to us in respect of Protected Data shall at all times be in accordance with the Data Protection Laws.

Instructions

We shall only process (and shall ensure our personnel only process) the Protected Data in accordance with any letter of engagement or agreement between us (including the Annex) (and not otherwise unless alternative processing instructions are agreed between us in writing) except where otherwise required by applicable law (and in such a case we shall inform you of that legal requirement before processing, unless such applicable law prohibits us from so notifying you).

If we believe that any instruction received by us from you is likely to infringe the Data Protection Laws we shall inform you and be entitled to cease to provide the relevant Services until we have agreed appropriate amended instructions which are not infringing.

Security

Taking into account the state of technical development and the nature of processing, we shall implement and maintain the technical and organisational measures necessary to protect any Protected Data against accidental, unauthorised or under lawful destruction, loss, alteration, disclosure and/or access.

Sub-Processing and Personnel

You consent to our appointment of third party processors of Protected Data. We confirm we have entered into a number of written agreements with third party software providers on their standard terms of business to help us meet our obligations under this engagement.

We shall remain liable to you under any letter of engagement or agreement between us for all the acts and omissions of third party suppliers and each of  their personnel as if they were our own and ensure that all persons authorised by us or any Sub-Processor to process Protected Data are subject to a written contractual obligation to keep the Protected Data confidential.

Assistance

We shall (at your cost) assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under Data Protection Laws) taking into account the nature of the processing and information available to us and assist you (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.

We shall refer all requests and communications received from Data Subjects or any supervisory authority to you which relate to any Protected Data promptly (and in any event within 3 days of receipt) and shall not respond to any without your written approval and in accordance with your instructions unless and to the extent required by law.

International Transfers

We shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the European Economic Area unless your prior written consent has been obtained.

Records and Audit

We shall, in accordance with Data Protection Laws, make available to you such information that is in our position or control as is necessary to demonstrate our compliance with our obligations under a letter of engagement or any agreement between us. We shall permit audits by you (or another auditor appointed by you (provided such auditor has entered into a confidentiality undertaking with, and in terms reasonably acceptable to, us and such auditor is not our competitor) for this purpose, subject to a maximum of one audit in any 12 month period.

Breach

We shall notify you without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Personal Data.

Deletion/Return

On ceasing to provide the Services relating to the processing of Protected Data, at your cost and option, we shall either return all of the Protected Data to you or securely dispose of the Protected Data except to the extent any applicable law requires us to store such Protected Data.

Data Processing Details

Our processing of the Protected Data under any letter of engagement or agreement between us shall be for the subject-matter, duration, nature and purposes and involve the types of personal data and categories of Data Subjects set out below:

1. Subject-matter of processing: We will process Protected Data in order to perform our obligations under any letter of engagement or agreement between us.

2. Duration of the processing: We will process the Protected Data for the term of our agreement (and any exit period) and thereafter as long as we are required to process any Protected Data pursuant to the Data Protection Legislation.

3. Nature and purpose of the processing: The nature and purpose of the processing of the Protected Data will be to perform our obligations under any letter of engagement or agreement between us.

4. Type of Personal Data: The types of Protected Data will be those detailed under the section of any letter of engagement or agreement between us titled "Payroll Preparation and PAYE".

5. Categories of Data Subjects: Customers/Clients

6. Specific processing instructions: To administer your accounts in accordance with your instructions and in accordance with the terms of any letter of engagement or agreement between us.

Technical and Organisational Security Measures

We shall implement and maintain the following technical and organisational security measures to protect the Protected Data:

In accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with any letter of engagement or agreement between us, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, we shall implement appropriate technical and organisational security measures appropriate to the risk, including what is appropriate to those matters mentioned in Articles 32(a) to (d) of the GDPR.