We have always taken the security of our clients personal data very seriously. This Privacy Notice explains how we collect and process personal data to comply with GDPR Regulations. From time to time we will update this notice and make any necessary changes. Currently, European Union legislation and the law in the United Kingdom, as a Member State, will be the legal framework for this Notice.
To assist you in understanding this Notice we have divided it into sections:
- Why, when and how we use your personal data
- Legal basis for processing
- Special categories of personal data
- What personal data do we store securely?
- What personal data do we destroy immediately?
- Third party data processing and sharing
- Marketing and newsletters
- How long we retain personal data
- Your rights to access your personal data
- Why we process your personal data
- Limitation of your rights
- Updating and amending your personal data
Personal data – any information relating to an identified or identifiable living natural person.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Filing system – paper or electronic arrangement of personal data to facilitate processing
Controller – natural or legal person, alone or jointly with others, determines the purposes and means of the processing of personal data
Processor – a natural or legal person, which processes personal data on behalf of the controller
Main establishment – JWPCreers LLP has one main establishment at Genesis 5 Church Lane, Heslington, York
Binding corporate rules – systems and procedures, including policies used by staff and members of JWPCreers LLP.
Pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable human being.
Why, When and How we use your personal data
We are engaged by our clients to provide a range of professional services, which include, but are not restricted to, accountancy, taxation, audit, payroll bureau, share valuation, financial modelling and business support.
Personal data is provided to us by our clients and used exclusively for the purpose of providing the service(s) they instruct us to provide, which is set out in a written contract called the ‘Letter of Engagement’. Additional data processing will only take place when explicit approval has been obtained from our client and evidenced by an updated and signed Letter of Engagement.
Data is processed using a variety of methods- sorting, analysis, tabulation, summation and analytical procedures. These methods and actions are applied to the personal data to produce information which is used to assist our clients meet their regulatory responsibilities. However, data may be used in a variety of other ways. For example, obtaining bank funding, evaluating capital projects and providing payroll information to our client’s employees and HMRC.
The personal data provided by our clients is only used to enable us to provide the services we are contracted to provide and for no other purpose. Processing will only take place when it is strictly necessary for the performance of an action or series of actions which deliver the service(s).
The service(s) we provide help our clients to prepare self-assessment tax returns, statutory accounts and other regulatory returns and declarations.
Our aims as data controller are to provide our clients with clear and concise information using plain language to assist them to exercise their rights as a data subject in the following areas:
- Access to personal data;
- Erasure (‘right to be forgotten’);
- Restriction of processing;
- Notification of rectification and erasure;
- Data breach.
When we collect personal data to process in accordance with our contract with our client we will:
- Identify the partner responsible for delivering the service(s) and portfolio manager responsible for processing;
- Provide the contact details of our Practice Manager which is also contained in this Notice;
- Explain the purposes of the processing;
- Explain the legal basis for processing.
We do not undertake any form of automated decision making.
Legal basis for processing
We acknowledge our responsibility to identify to our clients the lawful basis for processing personal data. In this regard we have considered a number of factors which we set out in this Notice:
- Processing is necessary for the performance of the contract between our client and JWPCreers LLP. The terms of that contact are set out in a ‘Letter of Engagement’.
- Processing is necessary for the purposes of the legitimate interests pursued by JWPCreers LLP in our capacity as controller.
We are aware that in regard to (2) such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
We provide audit services to some of our clients and process personal data to arrive at the audit opinion. We use a variety of techniques and professional skills to build a body of evidence which supports that opinion.
We may test the systems and processes used by our client and consider ourselves to be a data processor when undertaking this work, not controller.
We consider that client consent is demonstrated by signing the ‘Letter of Engagement’.
The engagement process is proactive and collaborative to ensure that our clients determine the service(s) they need. Schedules attached to the Engagement Letter make up the contract.
We acknowledge that clients have the right to withdraw their consent at any time. However, this will not have an effect on any processing we have undertaken on their behalf before consent is withdrawn.
In the event that clients wish to withdraw consent they should contact a member of our relationship management team, comprising: partner, relationship manager or a member of our client service team.
Special categories of personal data
Special categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and processing genetic data, biometric data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation are prohibited. We have reviewed the personal data we hold and as far as we can determine we do not collect the following personal data categories:
- Trade union membership;
- Biometric data;
- Sexual orientation or information concerning the sex life of a natural person;
- Genetic data.
Our clients may ask us to assist them with preparing information for regulatory purposes as part of our business support services in accordance with the terms of our engagement.
When we engage new clients or update existing client personal data we must verify their identity. We will review passport, driving licence, visa’s and other official documents to obtain the information we require to satisfy our statutory responsibilities in proving the identity of our clients. We will therefore retain personal data in the following special categories:
- Racial or ethnic origin;
- Religious or philosophical beliefs;
We may contact third parties on behalf of our clients to assist them with their retirement planning, wealth management strategy or to claim appropriate taxation relief. In such circumstances, we may be provided with personal data regarding the health of our client. We establish explicit consent for this processing activity in the Engagement Letter.
Processing of health data may also take place for the assessment of the working capacity of an employee. In this specific circumstance the data will be used in a sensitive and proportionate manner so that working conditions can be modified to address the effects of health on our employees ability to work. Retention of this special category of data is reviewed every 3 months to ensure that it is relevant. When the data is no longer relevant it is destroyed.
What personal data do we store securely?
The personal data we collect depends upon the service(s) we are contracted to provide to our clients but includes;
Name, address, telephone number, email address, national insurance number, UTR, date of birth.
Additional information, used only by our payroll bureau and taxation teams will include, bank details, PAYE code numbers, pension and remuneration figures.
To ensure the safety and security of our staff we monitor our premises by CCTV. However, we do not record the images produced by the system. If we decide to record images in the future we will update this Notice. The legal basis for recording will be the safety and security of our staff and premises and will be a legitimate interest.
Currently, we do not record telephone conversation. However, we may do so in the future and we will update this Notice if we do change our decision.
What personal data do we destroy immediately?
Many of our clients pay our fees by credit card. This information is generally provided in a telephone call and we never retain or store that information. We use a secure third party ‘payment gateway’ to process card payments.
We do not use cookie information as a profiling tool, share it with anyone, or use it in any form of marketing.
Third party data processing and sharing
Client’s personal data is only processed by the staff and partners of JWPCreers LLP. We do not employ sub-contractors or outsource services to a third party.
Data is only processed in the UK at the main establishment, Selby office or client premises using a secure VPN.
The results of the data processing we undertake are for the purpose of assisting our clients meet their regulatory responsibilities. To that end, we file our client’s Self-Assessment tax return, accounts and returns with HMRC, Registrar of Companies, Charity Commission and other government bodies, funding organisations and banks. We are reliant on the IT systems of those bodies and on the officials and employees of those organisations.
Marketing and newsletters
JWPCreers LLP does not undertake marketing and will not share its client’s personal data with any third party organisation for marketing purposes of any kind.
Newsletters provide our clients with up to data information regarding changes in legislation which could affect their financial affairs. Newsletters are an important part of our service and used to inform and educate clients. They are an important communication tool and we consider them to be a part of our legitimate interests.
How long we retain personal data
We only hold your personal data for as long as necessary and return most of the data when we have provided the service(s) we are contracted to undertake. Client data will have been processed to achieve their service aims. This means that we will retain copies of processed data only to comply with statutory requirements or to enable us to provide services we are contracted to provide on an ongoing basis. Generally, some or all of the personal data of clients will be retained for as long as they are a client of JWPCreers LLP and for a period of six years after the last interaction with us (for accounting, tax reporting and record-keeping purposes).
Personal data security
In order to maintain the highest possible level of security and to prevent processing infringement we have undertaken a risk review and implemented policies and procedures designed to mitigate those risks. However, it is impossible to guarantee that any IT system is robust in the face of a concerted cyber attack by those persons or States sponsoring such activity.
We invest annually in our IT network and engage IT experts to evaluate the security measures we implement. We have data encryption, firewall security, cloud based server facilities hosted in UK data centres, up to date software programmes supported by regular updates and malware.
We have implemented binding corporate rules which include policies and procedures to reduce the risk of data loss. These policies include: email protocols, encryption rules and pseudonymisation of personal data.
In the event of a personal data breach, we will assess if there is a high risk of an adverse impact to your rights and freedoms. In such circumstances we will inform you of the nature of the breach and the action we have taken, or will take, to mitigate the effect. We will contact you within 48 hours of the breach setting out the circumstances and convey our plan to mitigate any adverse effect.
We will notify the ICO of the personal data breach without delay and no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms.
Your rights to access your personal data
You have the right to ask us, in writing, for a copy of all the personal data held about you (this is known as a ‘subject access request’). A copy of the personal data will be sent to you as soon as possible and this will be no later than one month after your request.
If you would like to have access to the personal data held by us, please apply in writing to our Client Service Team:
JWPCreers LLP – Subject Access Request, Genesis 5, Church Lane, Heslington, York, YO10 5DQ
Limitation of your rights
Your rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
Updating and amending your personal data
We will always try to keep your data as up-to-date as possible. If, at any time, you want to update or amend your personal data then you can do so by contacting our Client Service Team:
The verification, updating or amendment of personal data will take place within 14 days of receipt of your request. Updating contact details will take place within 24 hours of your notification, except when public holidays preclude this.
Contact and complaints
If you have any queries about this Privacy Notice or how we process your personal information, or if you wish to exercise any of your rights under applicable law, you may contact the Practice Manager:
- By email: firstname.lastname@example.org
- By telephone: 01757 703731;
- Or by post: Genesis 5, Church Lane, Heslington, York, YO10 5DQ
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection legislation from the Information Commissioner’s Office website available at www.ico.org.uk.