Privacy Policy

GDPR - General Data Protection Regulations as enacted in the Data Protection Bill 2017

We are committed to ensuring the protection of the privacy and security of any personal data which we process. Your attention is drawn to the paragraphs below which details how we treat personal data received by us in the provision of our services during our engagement with you.

This firm is registered with the Information Commissioner with regard to the processing and holding of personal data. Personal data will therefore be processed in the course of our professional dealings with yourselves in accordance with the relevant provisions of the Data Protection Bill 2017, as detailed in the clauses below. We consider that the lawful basis for the holding and processing of the personal data is to allow us to fulfil our contract with you in respect of the agreed services provided. The Data Controller for this firm is Bruce Roberts.

We confirm that we will comply with the provisions of the Data Protection Bill 2017 when processing personal data about you, your directors and employees and your/their family. In order to carry out the services of this engagement and for related purposes such as updating and enhancing our client records, analysis for management purposes and statutory returns, legal and regulatory compliance and crime prevention we may obtain, process, use and disclose personal data about you.

In the following clauses, these definitions will apply:

‘client personal data’ means any personal data provided to us by you, or on your behalf, for the purpose of providing our services to you, pursuant to our engagement letter with you;

‘data protection legislation’ means all applicable privacy and data protection legislation and regulations including PECR, the GDPR and any applicable national laws, regulations and secondary legislation in the UK relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time;

‘controller’, ‘data subject’, ‘personal data’, ‘personal data breach’, ‘processor’, ‘process’ and ‘supervisory authority’ shall have the meanings given to them in the data protection legislation;

‘GDPR’ means the General Data Protection Regulation ((EU) 2016/679); and

‘PECR’ means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).

Where we act as a data processor on behalf of a data controller, the following clause will be applicable:

1.1 We shall both comply with all applicable requirements of the data protection legislation. This clause is in addition to, and does not relieve, remove or replace, either of our obligations under the data protection legislation.

1.2 We both acknowledge that for the purposes of the data protection legislation, you are the data controller and we are the data processor. A separate schedule sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of personal data and categories of data subject.

1.3 In respect of the client personal data, unless otherwise required by applicable laws or other regulatory requirements, we shall:

a. process the client personal data only in accordance with your lawful written instructions, in order to provide you with the services pursuant to our engagement with you and in accordance with applicable data protection legislation;

b. disclose and transfer the client personal data to members of our firm’s network, our regulatory bodies or other third parties (for example, our professional advisors or service providers) as and to the extent necessary in order to provide you with the services pursuant to our engagement with you in relation to those services;

c. disclose the client personal data to courts, government agencies and other third parties as and to the extent required by law;

d. maintain written records of our processing activities performed on your behalf which shall include: (i) the categories of processing activities performed; (ii) details of any on cross border data transfers outside of the European Economic Area (EEA); and (iii) a general description of security measures implemented in respect of the client personal data;

e. maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of any client personal data and against accidental loss or destruction of, or damage to, such client personal data.

f. return or delete all the client personal data upon the termination of the engagement with you pursuant to which we agreed to provide the services;

g. ensure that only those personnel who need to have access to the client personal data are granted access to it and that all of the personnel authorised to process the client personal data are bound by a duty of confidentiality;

h. notify you if we appoint a sub-processor (but only if you have given us your prior written consent, such consent not to be reasonably withheld or delayed) and ensure any agreement entered into with the relevant sub-processor includes similar terms as the terms set out in this clause;

i. where we transfer the client personal data to a country or territory outside the EEA to do so in accordance with data protection legislation;

j. notify you promptly if:

i. we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of the client personal data; or

ii. we are served with an information or assessment notice, or receive any other material communication in respect of our processing of the client personal data from a supervisory body (for example, the Information Commissioner’s Officer);

k. notify you, without undue delay, in the event that we reasonably believe that there has been a personal data breach in respect of the client personal data;

l. at your cost and upon receipt of you prior written notice, allow you, on an annual basis and/or in the event that we notify you of personal data breach in respect of the client personal data, reasonable access to the relevant records, files, computer or other communication systems, for the purposes of reviewing our compliance with the data protection laws.

1.4 Without prejudice to the generality of clause 1.1, you will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the client personal data to us.

1.5 Should you require any further details regarding our treatment of personal data, please contact our data controller

Where we act as a data controller the following clause will be applicable:

2.1 We shall each be considered an independent data controller in relation to the client personal data. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of the client personal data.

2.2 You shall only disclose client personal data to us where:

(i) you have provided the necessary information to the relevant data subjects regarding its use;

(ii) you have a lawful basis upon which to do so, which, in the absence of any other lawful basis, shall be with the relevant data subject’s consent; and

(iii) you have complied with the necessary requirements under the data protection legislation to enable you to do so.

(iv) we may seek indemnity from you in respect of any failure to provide the necessary information to the relevant data subjects should we judge that the circumstances merit such an indemnity

2.3 Should you require any further details regarding our treatment of personal data, please contact our data controller

2.4 We shall only process the client personal data:

(i) in order to provide our services to you and perform any other obligations in accordance with our engagement with you;

(ii) in order to comply with our legal or regulatory obligations; and

(iii) where it is necessary for the purposes of our legitimate interests and those interests are not overridden by the data subjects’ own privacy rights.

2.5 For the purpose of providing our services to you, pursuant to our engagement letter, we may disclose the client personal data to members of our firm’s network, our regulatory bodies or other third parties (for example, our professional advisors or service providers). The third parties to whom we disclose such personal data may be located outside of the European Economic Area (EEA). We will only disclose client personal data to a third party (including a third party outside of the EEA) provided that the transfer is undertaken in compliance with the data protection legislation.

2.6 We may disclose the client personal data to other third parties in the context of a possible sale, merger, restructuring or financing of or investment in our business. In this event we will take appropriate measures to ensure that the security of the client personal data continues to be ensured in accordance with data protection legislation. If a change happens to our business, then the new owners may use our client personal data in the same way as set out in these terms.

2.7 We shall maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of the client personal data and against accidental loss or destruction of, or damage to, the client personal data.

2.8 In respect of the client personal data, provided that we are legally permitted to do so, we shall promptly notify you in the event that:

(a) we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of our processing of their personal data;

(b) we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the client personal data from a supervisory authority as defined in the data protection legislation (for example in the UK, the Information Commissioner’s Officer); or

(c) we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alteration of, the client personal data.

2.9 Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to you in accordance with our engagement letter with you in relation to those services.

Non discrimination policy

Terms and Conditions - Our terms and conditions will normally be set out in our engagement letters which will be issued to new clients prior to any work commencing. Standard terms are available upon request.