PRIVACY NOTICE

Introduction

The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data.

JECC Accountants is a data controller within the meaning of the GDPR and we process personal data. If you have any questions about this privacy notice or how we handle your personal data, please contact our Data Protection Office via email at info@jeccaccountants.co.uk.

We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

Personal data we may collect

We may collect and process the following categories of personal data:

  • Identity information (such as name, date of birth, nationality, and identification documents)

  • Contact information (including address, email address and telephone number)

  • Tax information (such as National Insurance number, Unique Taxpayer Reference, VAT details and HMRC correspondence)

  • Financial information (including income, expenditure, bank details for HMRC refunds, accounting records and transaction data)

  • Business information (including company details, directors, shareholders and persons with significant control)

  • Employment and payroll information (if applicable)

How we collect personal data

We collect personal data in a number of ways, including:

  • Directly from you when you request a proposal

  • From information you provide via forms, email, telephone or accounting software

  • From third parties and/ or publicly available information (such as HMRC, Companies House, banks, your previous adviser)

  • From identity verification and anti-money laundering checks, where required to comply with our legal obligations

The purposes for which we intend to process personal data

We intend to process personal data for the following purposes:

  • To enable us to supply professional services to you as our client.

  • To fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).

  • To comply with professional obligations to which we are subject as a member of .

  • To use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.

  • To enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen.

  • To contact you about other services we provide which may be of interest to you if you have consented to us doing so.

Lawful basis for processing personal data

We process personal data based on one or more of the following:

  • Where you have given us  permission to process your personal data for a specific purpose.

  • Where processing is necessary to carry out pre-contractual steps before entering into a contract.

  • Where processing is necessary for the performance of our contract with you and to provide our professional services.

  • Where processing is required to comply with legal or regulatory obligations (e.g. MLR 2017).

  • Where processing is necessary for our legitimate interests (or those of a third party), provided it does not unfairly impact your own interests.

It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.

We may share your personal data with:

  • HMRC

  • Companies House

  • our professional body in relation to practice assurance and/or the requirements of MLR 2017 (or any similar legislation)

  • Identity verification and anti-money laundering service providers, in order to meet our obligations under MLR 2017

  • Cloud software and IT service providers used in delivering our services

  • Payroll and pension providers, where we provide payroll services

  • Our professional indemnity insurers, their lawyers and other advisers.

  • any third parties with whom you require or permit us to correspond

If the law allows or requires us to do so, we may share your personal data with:

  • The police and law enforcement and other government agencies

  • Courts and tribunals

  • The Information Commissioner’s Office (“ICO”)

We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you and for our and others legitimate interests including of society as a whole. If you ask us not to share your personal data with such third parties we may need to cease to act.

We use certain Cloud based systems to handle your personal data including Xero, Adfin, Brevo, Xama. This list is not exhaustive. If you need more information, contact our Data Protection Office.

Transfers of personal data outside the EEA

We use servers in the UK/EEA to process your personal data.

However,  there may be occasions when we may have to use, or our third party suppliers use, services that host your information outside the United Kingdom or European Union or other approved countries. When this occurs, we will use reputable suppliers that have gone through information security due diligence, have contractual clauses about the required standard of data processing, and meet legally approved requirements that your information is looked after to a standard as if it were in the UK. For more information about this please contact us using the Contact Us section below.

Retention of personal data

When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of our records relating to you as follows:

  • Where tax returns have been prepared it is our policy to retain information for 7 years from the end of the tax year to which the information relates.

  • Where ad hoc advisory work has been undertaken it is our policy to retain information for 7 years from the date the business relationship ceased.

  • Where we have an ongoing client relationship, data which is needed for more than one year’s tax compliance (e.g. capital gains base costs and claims and elections submitted to HMRC) is retained throughout the period of the relationship, but will be deleted 7 years after the end of the business relationship unless your employer as our client ask us to retain it for a longer period or there is some other legal hold on the data.

Our contractual terms provide for the destruction of documents after 7 years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.

You are responsible for retaining information that we send to you and this will be supplied in the form agreed between us. Documents and records relevant to your employer’s tax affairs are required by law to be retained as follows:

Partnerships:

  •  with trading or rental income: five years and 10 months after the end of the tax year;

  •  otherwise: 22 months after the end of the tax year.

Companies, LLPs and other corporate entities:

  •  six years from the end of the accounting period.

Where we act as a data processor as defined in the DPA 2018, we will delete or return all personal data to the data controller at the termination of the contract, except for data we are required to retain to comply with statutory obligations (such as accounting or tax records). Any retained data will be securely stored for the minimum period required by law.

Your rights 

Under the UK GDPR, you have a number of rights in relation to your personal data. These include the right to:

  • request access to the personal data we hold about you

  • request correction of inaccurate or incomplete data

  • request deletion of your personal data in certain circumstances

  • restrict or object to the processing of your personal data in certain circumstances

  • request the transfer of your personal data to another service provider

  • withdraw consent where processing is based on consent

Requests to exercise any of these rights can be sent to our Data Protection Office via email at info@jeccaccountants.co.uk.

We will respond to any request without undue delay and normally within 1 month. In some circumstances, we may be entitled to refuse or limit a request, for example where we are legally required to retain information or where exemptions apply. Where this is the case, we will explain our reasons.

Automated decision-making

We do not intend to use automated decision-making in relation to your personal data.

Contact Us

If you have requested details of the information we hold about you and you are not satisfied with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can contact us at info@jeccaccountants.co.uk.

If you are not satisfied with our response, you have a right to lodge a complaint with the ICO (www.ico.org.uk).