Privacy Policy
Introduction
This Privacy Notice outlines the obligations of FINASSYST LTD under the Data Protection Act 2018 (“DPA 2018”) and the UK General Data Protection Regulation (“UK GDPR”) regarding the processing of personal data. As a data controller, we take our responsibilities seriously and aim to ensure transparency in our data practices.
Contact Information:
- Email: [email protected]
Please note that we may update this privacy notice periodically. We will provide you with a copy of the amended notice if changes occur.
When We Act as a Processor
In instances where we serve as a data processor (e.g., processing payroll), an additional schedule is provided with relevant information. This should be read alongside this privacy notice.
Purposes for Processing Personal Data
We process personal data for the following reasons:
- To deliver professional services to you as our client.
- To fulfil legal obligations under current laws (e.g., the Money Laundering and Terrorist Financing (Amendment) Regulations 2019).
- To comply with professional standards as a member of Chartered Institute of Management Accountants.
- To assist in the investigation or defense of potential complaints, disciplinary actions, or legal proceedings.
- To invoice you for our services and resolve any related fee disputes.
- To inform you about other services we offer, with your consent.
Legal Bases for Processing Personal Data
Our processing of personal data is based on the following legal grounds:
- Consent: We may occasionally seek your consent to process your data.
- Contractual Obligation: Necessary for performing our contract with you.
- Legal Compliance: Required to meet legal obligations.
- Legitimate Interests: To investigate legal claims, recover debts, maintain client records, and develop our business.
Failure to provide requested information may affect our ability to offer services.
Sharing Personal Data
We may share your personal data with:
- HMRC
- Third parties with whom you authorize correspondence.
- Subcontractors
- Appointed alternates (in cases of incapacity or death)
- Tax insurance providers.
- Professional indemnity insurers
- Our professional body (Chartered Institute of Management Accountants) and OPBAS
- Other professional consultants and service providers
Additionally, if required by law, we may share your data with:
- Police and law enforcement agencies
- Courts and tribunals
- The Information Commissioner’s Office (ICO)
Data Transfer and Retention
Your personal data will be processed within the UK only.
Data Retention:
We retain records as follows:
- Tax Returns: Six years from the end of the tax year.
- Ad Hoc Advisory Work: Six years from the cessation of the business relationship.
- Ongoing Relationships: Retained throughout and deleted four years after the business relationship ends, unless otherwise requested.
For data processing as defined in DPA 2018, we return or delete personal data upon contract termination.
Data Protection for Payroll, Auto-Enrolment, and Subcontractors
Definitions:
- Client Personal Data: Any personal data provided by you for service provision.
- Data Protection Legislation: Includes PECR, GDPR, and relevant UK privacy laws.
- Key Terms: ‘Controller’, ‘data subject’, ‘personal data’, etc., are defined by the legislation.
We acknowledge our role as a data processor and outline our responsibilities as follows:
- Process client data per your lawful instructions.
- Share client data with regulatory bodies and other third parties as necessary.
- Comply with legal data sharing requirements.
- Maintain records of processing activities and security measures.
- Securely return or delete client data upon contract termination.
- Ensure personnel access to data is restricted and confidential.
- Notify you of data subject requests, complaints, or data breaches.
- Allow access for compliance reviews, if required.
Types of Personal Data Processed:
- General: Full name, contact details, birth date, financial info, National Insurance number, etc.
- Special Category: Sickness absence information.
Data Subjects Include:
- Employees
- Subcontractors
- Business owners
Rights and Requests
Subject Access Requests (SARs)
You have the right to access your personal data. Please make SARs in writing with sufficient details to verify your identity. We will comply within one month, unless circumstances justify refusal (e.g., a similar request made recently with no data changes).
Rectification, Erasure, and Restriction
- Right to Rectification: Correct inaccurate data.
- Right to Erasure: Request data deletion, subject to legal exceptions.
- Right to Restrict Processing/Objection: Limit data processing or object to it.
Data Portability
You may request your personal data in a machine-readable format under certain conditions, such as when processing is based on consent or performed by automated means.
Withdrawal of Consent
You can withdraw your consent at any time. Note that withdrawal does not affect prior lawful processing, and some data may still be processed under other legal bases.
Automated Decision-Making and Profiling
We do not engage in automated decision-making or profiling.
Complaints
If you are dissatisfied with our data practices or response to a SAR, you may contact us using the provided details. Additionally, you have the right to lodge a complaint with the ICO at www.ico.org.uk.