This policy explains:
- Who we are and how to contact us
- How we collect and process personal data:
- Business and professional contacts
- Cookies and website visitors
- Recipients of personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Updates to this policy
1. Who We Are And How To Contact Us
For the purposes of applicable data protection law, we are a controller in relation to much of the personal data we collect and process. This means that we are responsible for deciding how and why we use personal data, and for keeping it safe.
Our details are as follows:
Name: M J Bushell Ltd
Company number: 07175356
Registered office: 8 High Street, Brentwood, Essex, CM14 4AB
ICO registration number: Z2138405
2. How We Collect And Process Personal Data
How we collect personal data
We collect and process personal data (meaning information which relates to an identifiable individual) relating to our clients and our business dealings. This will include individual clients, representatives or employees of corporate clients, and professional advisers. This information is typically:
- provided by clients;
- collected in the process of providing accountancy services (such as through correspondence);
- provided to us by third parties (such as other professional and financial advisers); and
- obtained from external sources (such as Companies House or HMRC).
The types of personal data we collect
The categories of personal data we collect may include some or all of the following:
- contact information (such as name, address, telephone and email address);
- financial and salary information (such as details of someone’s tax, salary and benefits);
- bank details (provided by a client or processed when we receive a payment); and
- information (such as passport information, driving licence and bank statements or utility bills) used to verify that client’s identity.
We may process other types of personal information, though this will depend on the nature of the client and the scope of our accountancy services.
Why we need to use personal data
We use personal data because we need to for one or more of the following reasons:
- to provide accountancy services to an individual (namely, to perform a contractual obligation we owe to that individual);
- in order to comply with our legal obligations (including professional obligations imposed by the Institute of Chartered Accountants in England and Wales); and
- to pursue our legitimate interests in operating and promoting the success of our business, or to pursue the interests of our clients in receiving accountancy services.
If you do not provide the personal data which we need in order to enter into or to perform a contract with you, then we may not be able to contract with you or to provide the services which you have requested.
In limited circumstances, we may use personal data on the basis of your consent. If we do so, we will always clearly ask for your agreement first. You are, of course, free to refuse this and we will inform you as to what (if any) consequences this might have. You can also withdraw consent at any time.
B. Business And Professional Contacts
We process personal data about individual business and professional contacts. These people include individual (or representatives from corporate) intermediaries, service providers, other accountants, lawyers, organisations that have attended our events, and potential clients.
The types of personal data we hold about these individuals typically consists of basic personal details and contact information, such as position title, name, email, address, telephone and the person’s employer. Depending on the circumstances, and the nature of our relationship with the people involved, we may use this information to:
- fulfil our contractual obligations or exercise contractual rights;
- communicate with other organisations, professional advisers or intermediaries; or
- send marketing and promotional communications.
We use this personal data because it is in our legitimate interests to promote our services and build business relationships.
We collect, store and use personal data about individuals who apply to join us. This may include information:
- you provide to us (such as in CVs, application forms, and through correspondence);
- you provide during an interview;
- obtained from previous employers and referees;
- provided to us by recruitment agencies; and
- received as a result of our carrying out background checks (such as checks for criminal convictions with the Disclosure and Barring Service).
The information we collect might include sensitive personal data, such as information about your health and sickness records. If we need to process sensitive personal data then we will ask for your explicit consent before doing so.
If you apply for a position with us, we may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in your history which makes you unsuitable for the role. We do this because working with us involves a high degree of trust (as you will have access to confidential information).
If we carry out a criminal record check or ask for references, this will only ever be done at the last stage of the application process, when making an offer of employment.
How we use applicant information
We use the personal data we collect about you to:
- assess your skills, qualifications, and suitability for a role;
- carry out background and reference checks;
- communicate with you about your application;
- keep records related to our hiring process; and
- comply with legal or regulatory requirements.
We do all of this because either it is a necessary part of entering into a contract of employment with you or because we have a legitimate interest in ensuring that you are suitable for a particular role.
If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully.
Retention of applicant information
We normally retain personal data about unsuccessful candidates for between 3 and 6 months from the time we inform them of our hiring decision. We retain personal data for this period so that we can demonstrate, in the event of a legal claim, we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy this applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.
If you are successful, the personal data your provided in the application process will be stored as part of your personnel file.
We use personal data to contact people from time to time. This might be because we are providing that person with services or because they have asked to hear from us.
We sometimes send emails to other companies and organisations without their prior consent. We do this in order to promote our services and build relationships. If we have contacted you like this, it is because we think these communications may be of interest or relevance to you (usually on the basis of our previous dealings with you or a recommendation from a third party).
You can change how you hear from us or unsubscribe from marketing at any time by clicking the “unsubscribe” link on any of our emails, or by emailing email@example.com and asking us to stop contacting you.
4. Cookies And Website Visitors
We do not normally collect personal data about visitors to our website unless they choose to provide such information (such as by filling in a website form).
We collect anonymous information about visitors to our website in order to optimise and improve the website. This might include IP addresses, browser or device details and the connection type (for example, the Internet service provider used). However, none of this information will by itself directly identify any particular user.
Our website uses “cookies” to enhance your experience and enable certain functionality. Web browsers place cookies on hard drives for record-keeping purposes and sometimes to track information (such as repeat visits).
We use Google’s AdWords remarketing service. This means that if you visit our website, you may see adverts for M J Bushell when you visit other websites. This happens because Google places a cookie on your machine based on which pages you visit on our site, and then uses that cookie to show you relevant advertisements when you visit other sites. This remarketing process does not involve collecting or storing any of your personal data.
Hyperlinks to other sites
5. Recipients Of Personal Data
Personal data you provide to us will be kept private and confidential, and we will not disclose or share it with other data controllers without your permission. The only exception to this is where we are legally required to disclose personal data. For example, to comply with a court order. We may also be required to share personal information with regulatory authorities in the event of an audit or investigation.
We share personal data with some of the third parties who provide services to our firm. This includes software providers (such as Microsoft), cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our strict instructions.
We only use third party service providers who have provided sufficient guarantees, as required by Data Protection Laws, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to our firm, in accordance with Data Protection Laws.
6. How Long We Store Personal Data For
We only retain personal data for as long as is necessary for the specific purpose(s) it was collected for (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements). For example, we are required to retain accounting records for a period of at least 6 years.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In the event we process personal data in connection with an engagement, we will normally process that personal data for the duration of that engagement. Once we are satisfied that the services are complete, we will close the file and delete or destroy personal data which is no longer required (such as hard copies of documents which have been digitally archived). Any personal data we retain will be stored securely and only accessed if necessary in order for us to establish, exercise or defend against a legal claim or if another overriding legitimate ground arises (such as having to disclose information as part of an audit by our regulator).
7. How We Keep Personal Data Safe
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. This includes both physical security measures (such as keeping paper files in secure, access-controlled premises) and electronic security technology (such as digital back-ups and sophisticated anti-virus protection).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
8. International Transfers
We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;
- implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or
- (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme. For example, we use software services provided by the Microsoft Corporation, which is registered under the Privacy Shield scheme.
The only other time we’ll transfer data outside the EEA is if a derogation (i.e. an exception) under Data Protection Laws, and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.
9. Your Rights As A Data Subject
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
- The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to processing of your personal data. You can object to us processing personal data for legitimate interests purposes or for direct marketing.
- The right to restrict how your personal data is used. You can limit how we use your information (primarily to storage or for use in legal claims).
- The right to have a portable copy or transfer your personal data. We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information we process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data you have the right to withdraw that consent at any time.
We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
Fees for making a request
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How to make a request
If you want to exercise any of the rights described above, please email firstname.lastname@example.org or write to Data Protection Requests, M J Bushell Ltd, 8 High Street, Brentwood, Essex, CM14 4AB.
Your right to complain to a supervisory authority
You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
10. Updates To This Policy
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 14/05/2018.