Hardwick & Morris LLP – Privacy Notice

This notice will tell you how we look after your personal data, about your privacy rights, and about our compliance with and your protections under Data Protection Legislation.

In this notice “Data Protection Legislation” means any applicable law relating to the processing, privacy, and use of Personal Data, including the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.

Data Controller: Hardwick & Morris LLP of 1 Berry St, London EC1V 0AA is the data controller responsible for deciding how we hold and use personal information about you.

Data Protection Leader: The Managing Partner is responsible for enquiries regarding compliance with this privacy notice and can be contacted at [email protected] or Data Protection, Hardwick & Morris LLP, 1 Berry St, London EC1V 0AA.  We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.

Information collected: personal information about you (your data) as necessary for the provision of the accountancy services by us to you (Services) and to comply with our statutory requirements (i.e. anti-money laundering legislation). This includes information which you provide to us (by phone, e-mail or otherwise), collected online (for example, credit checks and searches), and/or received from third parties or other sources. Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide your data when requested, we may not be able to provide you with the Services. In this case, we may have to cease performing the Services you have with us, but we will notify you if this is the case at the time. If we do not obtain your data from you, we will inform you of the source your data originates from and whether it is publicly available. The categories of your data which we may collect, store, and use will depend on the type of Services, which categories are as follows:

CATEGORIES OF PERSONAL INFORMATION WE COLLECT FROM YOU:

  • Contact details.
  • Bank/other Financial Services details.
  • Pension and benefits details.
  • Tax details.
  • Income and pay details.
  • Annual leave details.
  • Sick leave details.
  • Employment history.
  • Identification (including, for example photographs).
  • Financial transaction spending history.
  • Date and place of birth.
  • Marital status and dependents.
  • ID numbers, e.g. NINO, UTR, driving licence.
  • Log-in information/passwords.
  • Lifestyle information.

We will not process any special categories of personal data (for example, information about your race, religion, ethnic origin, genetics, biometrics, health or gender) or criminal offence data unless we expressly request this information from you. We do not collect data relating to children except where it is provided by you in the nature of an instruction with us.

How your data is used: it will be used to perform the Services. If you do not provide us with your data, we will not be able to perform the Services and we may be prevented from complying with our statutory obligations. We may also process your personal data for the purposes of our own legitimate interests provided that those interests provided that those interests, rights, and freedoms which require the protection of personal data.  This includes processing for marketing, business development and management purposes.  We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.

Disclosure of your data: your data may be disclosed by us to third parties including other data controllers where it is: necessary for the provision of our Services; required by law; or where we have another legitimate reason for doing so (such as a court order). Depending on the type of Services, we may share your data with our agents, suppliers, and contractors. For example we may share data with First Stop IT Limited who manage the firm’s IT services, H&M & LL LLC in the USA to provide US accounting and taxation services (see, “Transfer of data outside the UK”), Bullocks 1 Limited for Royalty Management Services, First Corporate Services Limited for company secretarial services, Pay Academy Limited for payroll services and HM Revenue & Customs and any regulator (for example, Institute of Chartered Accountants and the FCA) to comply with the law.

Protection of your data: we have put in place commercially reasonable and appropriate security measures aimed at preventing your data being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to those employees, agents, contractors and third parties who have a business need to know and require that your data is only processed for specified purposes in accordance with our instructions and where they have agreed to treat the information confidentially and to keep it secure. We do not allow our third-party service providers to use your data for their own purposes. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Transfer of data outside the UK: we may transfer your data to third parties outside the UK.  We will only do so where there is an adequate level of protection of personal data or there are measures giving equivalent protection of personal rights, either through international agreements or contracts approved for use in the UK which give personal data the same protection it has in the UK.

How long is your data kept: your data will only be retained as long as necessary for the provision of our Services and insurance and regulatory requirements, being 6 years from the provision of our Services or for 6 years from the end of the accounting/tax year to which the data relates. You may request access, erasure and rectification of your data during this period, after which we will securely destroy your data in accordance with applicable laws and regulations.  Please note that we may keep your data for longer than the periods stated above if it is necessary. However, this will be assessed on a case by case basis. If we determine that it is necessary to keep your data for longer than the periods listed above, we will confirm this to you in writing at the end of our agreement with you and explain why it is necessary.

Your right to access, correct, erase and restrict data we hold about you: it is important that your data is accurate and current. Please keep us informed if your data changes during your working relationship with us. Under certain circumstances, by law you have the right to:

  • Request access to your data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of your data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons.
  • Object to processing of your data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
  • Request the restriction of processing of your data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your data to another party.

If you wish to exercise any of the rights set out above, please contact us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).  This is another appropriate measure that personal information is not disclosed to any person who has no right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to withdraw consent: In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us at [email protected].

Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Complaints:

If you have any queries, concerns, or complaints about the use of your data by us, please raise them with the Data Protection Leader. If this does not resolve the problem to your satisfaction, or, if you prefer to raise the issue with somebody else, then please speak with the designated Complaint Partner named in our Engagement Letter, who will deal with your complaint.  You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.  The ICO’s contact details are as follows:

Information Commissioner’s Office, Wycliffe House, Water Lance, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113

Changes to this Notice:

We may change this notice from time to time, in which case the new notice can be viewed on our website www.hardwickandmorris.co.uk. We may also notify you in other ways from time to time about the processing of your data.