1. Purpose of this notice
This notice describes how we collect and use personal data about you, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK (‘Data Protection Legislation’).
Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
2. Who is responsible for taking care of your data?
S. Syedain & Co (collectively referred to as S. Syedain & Co, ‘we’, ‘us’, or ‘our’ in this privacy notice). We are chartered accountants, registered auditors and tax advisors and our registered office is Second Floor, Heron House, 109 Wembley Hill Road, Wembley, HA9 8DA.
For the purpose of the Data Protection Legislation and this notice we are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the privacy manager using the details set out below.
3. What personal data do we collect?
If you are a private individual and have a contract with us, we will process your contact details (name, address, telephone and fax numbers, email address, a copy of an address ID), identity details (date of birth, National Insurance Number, Unique Tax Reference Number, a copy of a photo ID), information about your business (business type, name and company number, VAT type), your family information (spouse’s or partner’s name, information about children), information about our engagement, your financial data (income and sources, taxes and their share, investments, bank account number, tax residency details), information relevant to taxation (properties, their acquisition and living there, litigations, inheritance), login credentials for the portal. We will also process your emails, letters, documents and other written information you provide to us.
If you are a representative of an entity that has a contract with us, we will process your contact details (name, address, telephone and fax numbers, email address), identity details (date of birth, National Insurance Number, Unique Tax Reference Number, a copy of an ID), information about the entity (business name and company number, VAT number), your family information (spouse’s or partner’s name, information about children), information about our engagement, your financial data (income and sources, taxes and their share, bank account number), login credentials for the portal. We will also process your emails, letters, documents and other written information you provide to us.
If we are providing company secretarial services, we will process information relating to your registered office, along with names, addresses and dates of birth of shareholders, company officers and persons of significant control.
If you are an employee enrolled to our services by the employer, we will process your contact details (name, address), identity details (date of birth, National Insurance Number, Unique Tax Reference Number), information about employment (your employer details, date when employment started, number of working days/hours), financial data (salary, taxes share, investments to auto-enrolment pension funds, bonuses).
If you are following us and interacting on our social media sites, we will process your name, photos, employment details, messages and comments directed to us.
4. When do we collect your personal data?
We will collect information from private individuals and representatives of entities directly when they apply for, use our services and correspond with us by email, phone or otherwise.
We may collect information about them from other sources where we believe this is necessary to manage effective underwriting of the risk associated with a contract and/or helping fight financial crime. These other sources may include public registers and databases managed by credit reference agencies, government agencies such as Her Majesty Revenue and Customs (HMRC), and other reputable organisations.
5. What do we use your personal data for?
If you are a private individual or a representative of an entity that enters into a contract with us, we will use your personal data to register you for requested services, evaluate the risk of potential fraud or other illegal activities, provide requested financial services, respond to your enquiries and advise you, communicate with you, inform you about relevant news in the sector and keep your certain data in accordance with legal, regulator, tax or accounting requirements.
If you are an employee enrolled to our services by the employer, we will use your personal data to provide requested financial services to your employer.
If you are following us and interacting on our social media sites, we will use your personal data to provide relevant information to you and the audience.
6. Lawful bases for using your personal data
We will make sure that we only use your personal data for the purposes set out in Section 5 where we are satisfied that:
- our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to provide our services to you);
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (e.g. to retain your documents in compliance with statutory tax, audit and accountancy obligations);
- you have provided your consent to us using the data in that way (e.g. to use our portal or the app):
- our use of your personal data is necessary to support ‘legitimate interests’ that we have as a business (e.g. to evaluate your risk for potential fraud or other illegal activities), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights.
7. Who do we share your personal data with?
We work with third parties that help us to manage our business and deliver services. These third parties may from time to time need to have access to your personal data.
The third parties may include:
- Service Providers, who help manage our IT and back office systems and other support services and systems.
- Our regulators, which may include, Professional Bodies, the Financial Conduct Authority (FCA), Her Majesty Revenue and Customs (HMRC) and Information Commissioner’s Office (ICO), as well as other regulators and law enforcement agencies in the EU and around the world, solicitors and other professional services firms,
- We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. If we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.
We will only transfer your personal data to companies which are recognised as providing an adequate level of protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.
Your personal data will never be passed on to any other companies or third parties (other than the third-party service providers described above) and will never be added to any third-party mailing lists or databases unless you opt in to do so.
We will not transfer personal data we collect about you outside the European Economic Area (EEA).
8. Marketing correspondence
We may use your personal data to send you our newsletter and other marketing correspondence about our services, events and related news in the sector. This may be in the form of email or a letter sent by post. However, we will only do this once you have opted in to receive such information.
You have a right to prevent direct marketing of any form at any time – this can be exercised by contacting us using the details set out in Section 14.
9. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 5. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulator, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is securely deleted.
10. Security of your personal data
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
11. Rights of Access, Correction, Erasure and Restriction
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability or the basis for international transfers. You may also exercise a right to complain to the ICO. More information about each of these rights can be found by referring to the table set out below.
To exercise your rights you may contact us as set out in Section 14. Please note the following if you wish to exercise these rights:
||What this means
You can ask us to:
- confirm whether we are processing your personal data; – give you a copy of that data;
- provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Policy.
You can ask us to rectify inaccurate personal data.
We may seek to verify the accuracy of the data before rectifying it.
You can ask us to erase your personal data, but only where:
- Your data is no longer needed for the purposes for which it was collected;
- You have withdrawn your consent (where the data processing was based on consent);
- Your objection to the processing of data is deemed to be successful;
- Your data has been processed unlawfully;
- Your data has to be erased for compliance with a legal obligation we are subject to.
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
- For compliance with a legal obligation;
- For the establishment, exercise or defence of legal claims.
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
- Its accuracy is contested and we need to verify it;
- You think that the processing is unlawful, but you do not want to erase data;
- Your personal data is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims;
- You have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
- we have your consent;
- we need to establish, exercise or defend legal claims;
- we have to protect the rights of another natural or legal person.
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but in each case only where:
- The processing is based on your consent or on the performance of a contract with you;
- The processing is carried out by automated means.
- The processing is based on your consent or on the performance of a contract with you;
- The processing is carried out by automated means.
You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
We will not ask for a fee to exercise any of your rights in relation to your personal data unless your request for access to information is unfounded, respective or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
We will aim to respond to your request within one month unless it is particularly complicated or you have made several requests in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
12. Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent you may contact us as set out in Section 14.
Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
13. Changes to this notice
Any changes we may make to our privacy notice in the future will be updated on our website at: www.syedain.com.
This privacy notice was last updated on 24 May 2018.
14. Contact us
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is Tahira Siddiqui who can be contacted by email firstname.lastname@example.org or telephone 0208 903 5593.
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with the Information Commissioner’s Office at any time.
The ICO’s contact details are as follows:
Information Commissioner's Office
Telephone - 0303 123 1113 (local rate) or 01625 545 745
Website - https://ico.org.uk/concerns