GDPR Policy

General Data Protection Regulation Policy Statement

January 2023

In accordance with the GDPR we must ensure that the personal data we hold is:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it shall be used
  • accurate and kept up to date
  • kept in a form which permit identification of you for no longer than is necessary for the purposes for which we hold the data
  • processed in a manner that ensures appropriate security of the personal data

You understand and we confirm that it is our intention:

  • to hold & process your personal data to provide the accountancy, tax and general related services that you have instructed us to perform; to pass information to you relevant to our services & to offer related products or services that we believe may be of interest to you;
  • not to use the information for any other reason not instructed by you;
  • not to hold the information beyond the period necessary to provide you with those services and to meet the requirements of the official bodies (e.g. HMRC) to which we provide information on your behalf and that have specific time limits for the retention of information;
  • where we hold information beyond what may otherwise seem an obvious period, it will simply be to provide information that in our experience may be required of us e.g. if you transfer to another practice and this would seem an obvious trigger to delete data, we may retain certain information in anticipation of queries that may flow thereafter, but never for longer than would have been the case had you remained a client
  • never to pass data to a third party for processing beyond those explicit in our provision of services to you (e.g. HMRC & Companies House) without your specific instruction (e.g. in support of a mortgage application); where we utilise the services of a third party for data retention (e.g. web hosting) to ensure that their services are compliant with GDPR principles & requirements

The information we hold is only as good as that which you provide; please therefore let us know when there are changes to record e.g. change of address, change of bank account details (needed for HMRC refunds).

You have specific rights under the GDPR including:

  • “The right to rectification”. This includes:
    • the right to ensure that we rectify any inaccuracies in the data we hold and that it is complete
    • the right for supplementary statements to be put on record in case of dispute
    • rectification information must be passed to recipients of personal data unless impossible or involves disproportionate effort
    • we must inform you of the recipients if requested
  • You have the “right to be forgotten” by us if:
    • the processing is based on your consent and you withdraw consent
    • you object to the processing and there are no overriding legitimate grounds
    • your data has been unlawfully processed
    • your data has to be erased for compliance with a legal obligation
    • your data is no longer necessary in relation to the purposes for which it was collected

    • although this doesn’t apply if the use of personal data is required for:

    • compliance with a legal obligation
    • establishing, exercising or defending legal claims

You also have a “right to object” to the way information is held and processed, and this is an ‘absolute right’ in relation to direct marketing and marketing profiling. It is also a provisional right generally although this may not succeed if we can demonstrate compelling legitimate grounds e.g. for overriding your interests or for the establishment, exercise or defence of legal claims. We do not foresee any circumstances in which such a situation would arise.

We shall never make your personal data available to third parties for direct marketing or other processing purposes although we shall use your contact details to pass information to you that we believe may be of interest or assistance to you, as we believe this to be an essential part of the service we offer to clients (e.g. tax & budget updates).

We may also use your contact details to offer services from partner businesses but this information will always be directed through our own business communication paths such as email or letter and never from third parties.

You have a “right to know” matters such as:

  • our Data Controller; this is Michael Wilcox, Director, based at the Bath office
  • what personal data is in use (if not obtained from you)
  • the purpose and legal basis for using the personal data
  • how to withdraw your consent (where relevant); this being by contacting our Data Controller
  • the sources of data we hold (if not from you)
  • recipients or type of recipients of the data we hold (e.g. HMRC, Companies House, mortgage companies where so instructed)
  • whether information will be transferred outside of the EU; we confirm that it will not
  • how long the information will be held; we confirm this is in accordance with the statutory guidelines
  • that we process your personal data to meet a statutory requirement and in accordance with the agreement between us, and to provide appropriate information and offer services
  • that our services do not include any automated decision making or profiling; they do not

You have a “right to access to your own personal data” this to include:

  • having a copy of the personal data we hold on you within 1 month of your request, free of charge
  • having all of the ‘right to know’ information

You have a “right to restrict use of your personal data” by us, this to include:

  • when we need time to check a claim of inaccuracy by you
  • you oppose our erasure of unlawful personal data and request a restriction instead
  • we no longer need the data but you need it in relation to a legal claim
  • you have contested our claims of legitimate interests and we need time to check the matter

You have a “right to data portability”, this to include:

  • a right to receive your personal data in a structured, commonly used, and machine readable format
  • a right to transmit the data to another controller without hindrance from us. The data must be transmitted directly from us to the new controller where technically feasible.

Finally, we confirm:

  • that we seek to process your personal data for the reasons and services you have instructed;
  • that the data is held securely and where held by a third party (e.g. providing web hosting services) that the party is GDPR compliant and meets the related requirements;
  • that we do not make your personal data available to any external parties for processing except for those statutory bodies that you would expect or where you have specifically directed;
  • we shall process your data to enhance communications with you but only with a view to improving our service, your knowledge and understanding or to offer additional services that we believe will interest you.

You have the rights explained herein and more information can be obtained from the Information Commissioner’s Office:

M J Wilcox