This notice sets out how Breaking the Mould Accounting Limited will process personal data.
The principal contact at Breaking the Mould Accounting Limited is Alasdair Milroy, who can be contacted about anything to do with your personal data and data protection, including to make a subject access request, using the following details:
Email address: firstname.lastname@example.org
Postal address: Apartment 6, Reef House, Havelet Waters, South Esplanade, Saint Peter Port, Guernsey GY1 1BJ
Telephone number: +44 2038447850
The Data Protection (Bailiwick of Guernsey) Law, 2017 (as amended) (Data Protection Law), which implements the EU’s General Data Protection Regulation (GDPR), requires organisations that process personal data to meet certain legal obligations.
Breaking the Mould Accounting Limited is a data controller within the meaning of the Data Protection Law and we process personal data.
We are committed to complying with the requirements of the Data Protection Law and GDPR. As a result, we confirm that personal information we process will only be held (or otherwise processed) to the extent necessary in order to provide the agreed professional services and for any other purpose specifically agreed.
We are entering into a contract with you and will be processing data in order to fulfil our contractual obligations. In order to provide the agreed services, we need to collect, retain and process personal data about you. This data is needed in order to:
- Take you on and retain you as a client according to the provisions of applicable laws and professional regulations (e.g. anti-money laundering requirements)
- Prepare and file accounts and tax returns
- Provide advice on tax and national/social insurance liabilities
- Provide ad hoc advice.
If the information required is not provided, we may not be able to provide the required services which would trigger the disengagement provisions in the terms and conditions.
The personal data that we will collect and process will include:
- Names and addresses
- Email addresses
- Telephone numbers
- Dates and places of birth
- Occupations and details of any employer or public position held
- Information held by a relevant tax authority
- Information required to prepare tax returns
- Information required to prepare your accounts
- Correspondence between us
How Information is Collected
We collect information that is supplied about you from:
- A spouse/partner
- A relevant tax authority
- Your organisation
- Electronic ID verification providers
- Publicly available sources (e.g. the website of your employer)
- Directly from a third party (e.g. sanctions screening providers, credit reference agencies, customer due diligence providers, etc.)
- Other third parties (e.g. banks, investment managers etc.) as authorised by you.
How Your Information is Used
We may use information we hold about you:
- to provide services under the contract in force between us (‘contract basis’)
- to contact you about other services we provide which may be of interest to you if you have consented to us doing so (‘consent basis’)
- to meet other legal and regulatory requirements (‘legal obligations and/or public interest bases’)
- for other legitimate interests.
We will retain records based on our retention policy so that we can defend ourselves against potential legal claims or disciplinary action which can be brought within statutory time limits.
We may also use information from other people or organisations when carrying out these activities.
There is no automated decision-making involved in the use of your information and therefore no data portability.
Lawful basis for processing personal data
- Personal data may be processed on a contract basis under the engagement letter and provision of services agreements.
- Personal data may be processed on a consent basis when meeting clients’ wider expectations of our professional relationship.
- Personal data may be processed on the legal obligations and/or public interest bases in order to comply with legal requirements.
- Personal data may be processed in order to further our legitimate interests (see below).
Our Legitimate Interests
A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
Our legitimate interests may include:
- Preventing and detecting fraud against you or us (to minimise fraud that could be damaging for you and/or us)
- Enforcing our legal rights or defending or undertaking legal proceedings (to protect our business, interests and rights)
- Ensuring our business policies are adhered to, e.g. policies covering security and internet use (to make sure we are following our own internal procedures so we can deliver the best service to you)
- Operational reasons, such as improving efficiency, training and quality control (to be as efficient as we can so we can deliver the best service to you at the best price)
- Preventing unauthorised access and modifications to systems (to prevent and detect criminal activity that could be damaging for you and/or us)
- Marketing our services to existing and former clients (to promote our business to existing and former clients)
- Credit reference checks via external credit reference agencies (to ensure our clients are likely to be able to pay for our services)
Transferring Personal Data Outside Guernsey
We may transfer personal data we collect about you to the UK and/or the EU in order to perform our contract with you.
The Data Protection Law reflects the high standards that are in place across all EU and EEA Member States and transferring data to those countries means that equivalent legal protections will be in place.
Before agreeing to transfer data outside the EU and EEA Member States we check to ensure that there are adequacy regulations under the Data Protection Law in relation to each country which ensures that their regulations will be deemed to provide an adequate level of protection for your personal information for the purpose of the Data Protection Law.
Where there are no adequacy regulations we have binding contractual agreements with the relevant third parties to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the Data Protection Law.
Information Which May be Given to Others
In order for us to provide the agreed services, we may provide personal data about you to:
- other companies with our group
- any relevant tax authority
- other third parties you require us to correspond with (e.g. finance providers, pension providers (including auto-enrolment) and investment brokers)
- subcontractors who are bound by the same professional and ethical obligations as the principals and employees of the practice
- an alternate appointed by us in the event of incapacity or death
- tax insurance providers
- professional indemnity insurers
- legal advisers
- our professional body, the Institute of Chartered Accountants in England and Wales (ICAEW), or an external reviewer in relation to quality assurance
- our regulator for anti-money laundering compliance, the Guernsey Financial Services Commission (GFSC).
We need to give information to these other parties in order to fulfil our contractual obligations to you and therefore it is not possible to opt out of the provision of information to these parties. If you ask us not to provide information we may need to cease to act.
If the law allows or requires during the period of our contractual arrangements or after we have ceased to act we may also give information about you to:
- the police and law enforcement agencies
- courts and tribunals
- the Office of the Data Protection Authority (ODPA) in Guernsey.
In addition, after we have ceased to act we may give information about you to:
- our professional indemnity insurers or legal advisers where we need to defend ourselves against a claim our professional disciplinary body where a complaint has been made against us in order to defend ourselves against a claim
- your new advisers or other third parties you ask us to give information to.
We have put in place appropriate and proportionate security measures to address the risk of personal data being lost, used, altered or accessed in an unauthorised way. We limit access to personal data to those who have a business need to access it, and who will only process the personal data on our instructions.
Nevertheless, no data transmission over the internet, or any other network, can ever be regarded as wholly secure, and we have in place measures to deal with any suspected breach of data security. Those measures include policies and procedures, which are periodically reviewed to ensure they are effective and fit for purpose.
Retention of Information
When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of records relating to you as follows:
- Where tax returns and accounts have been prepared, it is our policy to retain information for seven years from the end of the tax year to which the information relates.
- Where ad hoc advisory work has been undertaken, it is our policy to retain information for seven years from the date the business relationship ceased.
- Where we have an ongoing client relationship, permanent information (the data supplied by you and others which is needed for more than one year’s tax and accounts compliance) is retained throughout the period of the relationship but will be deleted seven years after the end of the business relationship unless we are asked to retain it for a longer period by our clients.
Under applicable AML/CFT legislation, we are required to certain personal data for a period of five years from the date our business relationship ceased or such other longer period as the GFSC may direct.
Requesting Information Held About You (the Right to Access)
You are entitled to ask us what data we hold about you and why. Requests to see records and other related information that the firm holds about you are known as ‘subject access requests’ (SAR). We have set out further details on SARs below.
Requests in Writing
Please provide all requests in writing to the individual at the top of this notice.
To help provide the information on a timely basis you may need to provide copies of an identification document and proof of address.
Asking someone else to make a subject access request on your behalf
You can ask someone else to request information on your behalf – for example, a friend, relative or lawyer. We must have your authority to do this. This is usually a letter signed by you stating that you authorise the person concerned to write to for information about you, and/or receive our reply.
When We Won’t Release Information
The law allows us to refuse your request for information in certain circumstances – for example, if you have previously made a similar request and there has been little or no change to the data since the original request.
The law also allows us to withhold information where, for example, release would be likely to:
- prejudice the prevention or detection of crime
- prejudice the apprehension (arrest) or prosecution of offenders
- prejudice the assessment or collection of any tax or duty
- reveal the identity of another person, or information about them.
Where we are unable to consent to your request we will set out the reasons in writing.
Putting Things Right (the Right to Rectification)
If you dispute the accuracy or completeness of personal data we hold about you, you have the right to require us to rectify or change the data. You should write directly to us to make any such request.
Should information you have previously supplied to us be incorrect, please inform us immediately so we can update and amend the information we hold.
Deleting your Records (the Right to Erasure)
In certain circumstances it is possible for you to request us to erase your records and further information is available on the ODPA website (www.odpa.gg).
If you would like your records to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure and if applicable we will supply you with the reasons for refusing your request.
Restrictions on Processing (the Right to Restrict Processing and the Right to Object)
In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. For further information refer to the ODPA website (www.odpa.gg). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can take the appropriate action.
Withdrawal of Consent
Where you have consented for us to contact you with details of other services we provide we may continue to process your data and contact you for that purpose after our contractual relationship ends.
You may withdraw consent for the firm to contact you in relation to details of other services we provide at any time during the performance of the contract or thereafter. We will then cease to process your data but only in connection with contacting you with details of other services we provide.
Note that the withdrawal of consent does not make the other bases on which we are processing your data unlawful. We will therefore still continue to process your data under the terms of our contract and for other reasons set out in this privacy notice.
Obtaining and Reusing Personal Data (the Right to Data Portability)
You can request that your personal data be transmitted from us (where we act as a ‘controller’ of your data) to another organisation who you wish to have control of your data (e.g. moving your records from one accountancy practice to another).
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
You may be able to request your personal data in a format which enables it to be provided to another organisation. We will respond to any requests made without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.
If you have any questions or concerns regarding our processing of personal data, you can complain to us as set out in the terms and conditions.
If you are dissatisfied with the response, then you can refer to the ODPA. A complaint form is available on the ODPA website (www.odpa.gg).
You can also complain to our professional body – Institute of Chartered Accountants in England and Wales (ICAEW) as set out in the terms and conditions.
Privacy Notice Confirmation
I have read, understand and accept the basis on which my information will be dealt with as set out in the privacy notice provided.
I agree to your appointed alternate having access to my records in the event of your illness or permanent incapacity. I understand that you will communicate or transfer data with me using any or all of the following:
- Post/Hard-copy documents
- Password-protected emails
- Encrypted emails
- Unencrypted emails (without attachments)
- Secure Portals
- Cloud-based software
I accept the risks of you corresponding with me by email that is not encrypted or password protected.