This privacy notice is to help you understand what data we collect, why we collect it and what we do with it.

Data Controller: Hardwick & Morris LLP of 41 Great Portland Street, London W1W 7LA is the data controller responsible for deciding how we hold and use personal information about you.

Data Protection Leader: The Practice Manager is responsible for enquiries regarding compliance with this privacy notice and can be contacted at enquiries@41gp.com or Data Protection, Hardwick & Morris LLP, 41 Great Portland Street, London W1W 7LA.

Information collected: personal information about you (your data) as necessary for the provision of the accountancy services by us to you (Services) and to comply with our statutory requirements (i.e. anti-money laundering legislation). This includes information which you provide to us (by phone, e-mail or otherwise), collected online (for example, credit checks and searches), and/or received from third parties or other sources. If we do not obtain your data from you, we will inform you of the source your data originates from and whether it is publicly available. The categories of your data which we may collect, store, and use will depend on the type of Services, which categories are as follows:

Categories of personal information we collect from you

  • Contact details
  • Bank/other Financial Services details
  • Pension and benefits details
  • Tax details
  • Income and Pay details
  • Annual leave details
  • Sick leave details
  • Employment history
  • Identification (including, for example photographs)
  • Financial transaction spending history
  • Date and Place of Birth
  • Marital Status and Dependents
  • ID numbers, e.g. NINO, UTR, Driving Licence.
  • Log-in information/passwords
  • Lifestyle information
We will not process any special categories of personal data (for example, information about your race, religion, ethnic origin, genetics, biometrics, health or sex) or criminal offence data unless we expressly request this information from you. We do not collect data relating to children except where it is provided by you in the nature of an instruction with us.

How your data is used: it will only be used to perform the Services. If you do not provide us with your data, we will not be able to perform the Services and we may be prevented from complying with our statutory obligations.

Disclosure of your data: your data may be disclosed by us to third parties including other data controllers where it is: necessary for the provision of our Services; required by law; or where we have another legitimate reason for doing so (such as a court order). Depending on the type of Services, we may share your data with our agents, suppliers and contractors. For example we may share data with H&M &LL LLC in the USA to provide US accounting and taxation services (see, “Transfer of data outside the UK”), Bullocks for Royalty Management Services, HM Revenue & Customs and any regulator (for example, Institute of Chartered Accountants and the FCA) to comply with the law.

Protection of your data: we have put in place security measures aimed at preventing your data being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to those employees, agents, contractors and third parties who have a business need to know and require that your data is only processed for specified purposes in accordance with our instructions and where they have agreed to treat the information confidentially and to keep it secure. We do not allow our third-party service providers to use your data for their own purposes. We have put in place measures to protect the security of your information, further details of which are available upon request.

Transfer of data outside the UK: we may transfer your data to third parties outside the European Union. We will only do so where there is an adequate level of protection of personal data or there are measures giving equivalent protection of personal rights, either through international agreements or contracts approved by the European Union, such as the EU-USA Privacy Shield Framework.

How long is your data kept: your data will only be retained as long as necessary for the provision of our Services and insurance and regulatory requirements, being 6 years from the provision of our Services or for 6 years from the end of the accounting/tax year to which the data relates. You may request access, erasure and rectification of your data during this period, after which we will securely destroy your data in accordance with applicable laws and regulations. Please note that we may keep your data for longer than the periods stated above if it is necessary. However, this will be assessed on a case by case basis. If we determine that it is necessary to keep your data for longer than the periods listed above, we will confirm this to you in writing at the end of our retainer with you and explain why it is necessary.

Your right to access, correct, erase and restrict data we hold about you: it is important that your data is accurate and current. Please keep us informed if your data changes during your working relationship with us. Under certain circumstances, by law you have the right to:

      • Request access to your data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
      • Request correction of your data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
      • Request erasure of your data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
      • Object to processing of your data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
      • Request the restriction of processing of your data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
      • Request the transfer of your data to another party.

Complaints: if you have any queries, concerns or complaints about the use of your data by us, please raise them with the Data Protection Leader. If this does not resolve the problem to your satisfaction, or, if you prefer to raise the issue with somebody else, then please speak with the designated Complaint Partner named in our Engagement Letter, who will deal with your complaint. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Changes to this Notice: we may change this notice from time to time, in which case we will provide you with a new notice. We may also notify you in other ways from time to time about the processing of your data.