Privacy Policy

14.1

To enable us to discharge the services agreed under our engagement, and for other related purposes including updating and enhancing client records, analysis for management purposes and statutory returns, crime prevention and legal and regulatory compliance, we may obtain, use, process and disclose personal data about you / your business / company / partnership / its officers and employees and shareholders ('personal data').

Data processor

14.2

Applicable data protection legislation places express obligations on you as a data controller where we as a data processor undertake the processing of personal data on your behalf. An example would be where we operate a payroll service for you. We therefore confirm that we will at all times use our reasonable endeavours to comply with the requirements of applicable data protection legislation when processing data on your behalf. In particular we confirm that we will aim to comply with any obligations equivalent to those placed on you as a data controller in the EU/EEA/UK. You will also comply with applicable data protection legislation, including but not restricted to, ensuring that you have all appropriate consents and notices or another legal basis in place to enable the lawful transfer of personal data to us. You will fully indemnify and hold us harmless if you do not have a lawful basis and that causes us loss.

14.3

Schedule 1.01a forms part of this engagement letter and sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects.

14.4

As the data processor we shall;

• process personal data only on written instruction from you;
• Restrict data access to authorised personnel only, who are bound by confidentiality;
• Disclose the personal data to courts, government agencies and other third parties as and to the extent required by law;
• Maintain a written record of all categories of personal data processing carried out on your behalf, including details of transfers of personal data outside of the EU/EEA/UK and a general description of the technical and organisational security measures in place in relation to personal data;
• Delete or return all personal data to you at the completion of our engagement requiring personal data processing, subject to legal requirements to retain data;

14.5

In the course of providing services to you and processing personal data, we may disclose personal data to other firms in our network, a regulatory body or a third party. We may use a sub-processor and/or export personal data you supply to us outside the EU/EEA/UK where necessary. We will obtain consent before engaging sub-processors. We will ensure all such data disclosure/export is compliant with relevant data protection legislation and will use our reasonable endeavours to ensure that any agreement entered into with sub-processors includes similar terms to those set out in this clause 14. Where cloud-based services are to be used you may be subject to our cloud services terms and conditions.

On 28 June 2021, the European Commission approved the UK for adequacy. This means that the continuation of data flows between the UK and the EU will remain unaffected and we can rely on this mechanism for the terms under this agreement over the next four years until its review in June 2025.

14.6

We confirm we have adequate security measures in place to protect personal data provided to us, including administrative, physical and technical safeguards.

14.7

We will notify you within 10 working days if an individual asks for copies of their personal data, makes a complaint about the processing of personal data or serves a notice from a relevant data protection authority where it relates to you. You and we will consult and cooperate with each other when responding to any such request, complaint or notice. If an individual whose data you have supplied to us or which we are processing on your behalf asks us to remove or cease processing that data, we shall be entitled to do so where required by law.

14.8

We will answer your reasonable enquiries to enable you to monitor compliance with this clause. We will also allow for, and contribute to, audits or inspections conducted by the ICO or their auditor to demonstrate compliance with this clause.

15.1

Persons who are not party to this agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement. This clause does not affect any right or remedy of any person which exists or is available otherwise than pursuant to that Act.

15.2

The advice we give you is for your sole use and is confidential to you and will not constitute advice for any third party to whom you may communicate it, unless we have expressly agreed in writing that a specified third party may rely on our work. We will accept no responsibility to third parties, including any group company to whom the engagement letter is not addressed, your spouse, nor any family member of yours or your employer, for any aspect of our professional services or work that is made available to them.

16.1

In common with other professional services firms, we are required by the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer for Funds (Information on the Payer) Regulations 2017 (MLR 2017) to:

• Maintain identification procedures for clients, beneficial owners of clients and persons purporting to act on behalf of clients;
• Maintain records of identification evidence and the work undertaken for the client; and
• Report in accordance with the relevant legislation and regulations.

We have a statutory obligation under the above legislation to report to the National Crime Agency (NCA) any reasonable knowledge or suspicion of money laundering. Any such report must be made in the strictest confidence. In fulfilment of our legal obligations, neither the firm's principals nor may staff enter into any correspondence or discussions with you regarding such matters.

16.2

If we are not able to obtain satisfactory evidence of your identity and where applicable that of the beneficial owners, we will not be able to proceed with the engagement.

16.3

If you undertake business that requires you to be supervised by an appropriate supervisory authority to follow anti-money laundering regulations, including if you accept or make high value cash payments of €10,000 or more (or equivalent in any currency) in exchange for goods, you should inform us.

16.4

Any personal data received from you to comply with our obligations under the MLR 2017 will be processed only for the purposes of preventing money laundering or terrorist financing. No other use will be made of this personal data unless use of the data is permitted by or under enactment other than the MLR 2017, or we have obtained the consent of the data subject to the proposed use of the data.