Privacy Policy

This Policy governs the use of personal data which you provide to us via our website. Personal data is any or all data relating to a natural person who is identified, or can be identified, from the data.

Ethos Accountancy Solutions Limited respects your privacy. We understand that how your personal data is used and shared online matters to you, and we take the privacy of those who visit our website very seriously. We will not collect any data other than when you contact us, and we will always process that data in compliance with the law. Our site may contain links to other sites and be aware that if you choose to click on those links, your data may be processed by other organisations hosting those sites. We cannot control or monitor this, and you should have regard to their Privacy Policies.

Please read this Privacy Policy carefully, and ensure you understand it. When you first use our Site, this is taken to be agreement to this Policy. If you do not accept the Policy, then you should stop using the Site immediately.

Who we are

Your rights

You have certain rights as a data subject under the General Data Protection Regulation (GDPR), which governs the collection, processing and disposal of personal data by organisations such as ours.

In relation to personal data about you, you have the right:

We provide contact details at the end of this Policy for you to use if you have any complaint about our processing of your personal data. If you are not satisfied with the way we deal with this issue, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body in charge of supervising personal data use in the UK.

What data do we collect?

If you communicate with us by e-mail, we will collect your name and e-mail address and any other content that you send to us in the body of the mail. We do not collect any other personal data by any other method and in particular, we do not place cookies on our Site.

How is your data used?

We will process and store your data securely, and we will only keep it for as long as we need it for the purpose(s) for which it was collected.

In relation to the data we do collect, as laid out in the section above, we may use it as follows:

You have the right to withdraw your consent to our use of your personal data at any time, and to request that we delete it.

We will not share your personal data with anyone at any time

How and where do we store your data?

We will only keep your data as long as we need it for the purpose(s) for which it is collected, and/or for as long as we have your permission to hold it.

Accessing your data

You are entitled to make a Subject Access Request under the GDPR. This means that you may request a copy of any personal data we hold about you, free of charge. We will provide any or all information in response to your request if you contact us on 01227 811450, or email us at info@ethosaccountancy.co.uk

Contact Details

If you have any questions about the Site or this Policy, or you wish to make a Subject Access Request, then please contact us as follows, making your request or query clear:

Name: Kailash Maunick

E-mail: info@ethosaccountancy.co.uk

Telephone: 01227 811450

Postal Address: 20 North Lane, Canterbury, Kent, CT2 7PG

Amending the Policy

We may change this policy from time to time, in response to changes in the law or for operational reasons. Any changes will immediately be posted on the Site and you will be deemed to have accepted the amended Policy if you continue to use the Site afterwards. You should therefore regularly review this Policy.

DATA PROTECTION POLICY

Introduction

In the course of its business, the Firm needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.

This policy describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed at all times by the Firm, its employees and all those within its scope as set out below.

Why this policy exists

This Policy provides help and guidance to our staff and managers in:

Scope of the Policy

The Policy applies to all employees; fixed term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the Firm’s files and/or computer systems. Collectively these individuals are hereafter referred to as 'users'. All users have responsibility for complying with the terms of this Policy.

Data Protection Law

What is personal data?

The GDPR regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We hold data relating to our employees, some of which is classed as sensitive personal data (also known as ‘special category data’) where, for example, it concerns a person’s health and medical status. We also hold a wide range of information about clients, including highly confidential personal financial data such as their individual tax information.

These rules apply to all data stored in any structured way, including both paper files and electronically.

What does the law say?

The Data Protection Principles

The GDPR contains a number of key principles which apply to the collection and processing of personal data and which underpin everything that follows.

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality

Accountability

For the purposes of the law and these principles, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In relation to the majority of our data, we are data controllers, although where we are responsible for eg looking after a client’s payroll, they are the data controller and we are ‘data processors’. A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." Our responsibilities as data processors are dealt with later in the Policy.

Key Responsibilities

The Firm is responsible for:

The Director is responsible for:

Lawful, Fair and Transparent Data Processing

We are responsible as a Firm for ensuring that any personal data we hold is processed in accordance with the principles laid out above. We are permitted to process data where one of the following legal bases applies:

Sensitive Personal Data or ‘Special Category Data’

This data has a special status under the law, as it is particularly personal in nature. It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do so or a clear legal basis. We will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.

INDIVIDUAL RIGHTS POLICY

Other Personal Data

The Firm will adhere to the following principles:

the Firm collects and processes the personal data set out below, this includes:

Data Processing

We act as data processors for a number of clients (the data controllers), receiving personal data relating to their employees and processing it for the purpose of payment of salary, and appropriate deductions. We do not expect to receive any data which, is sensitive personal data in relation to this. We will:

Accountability and Record Keeping

The Firm will keep written internal records of all personal data collection, holding and processing, and this will incorporate the following:

Privacy by Design – Data Impact Assessments

Part of the Firm’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the GDPR. The Firm will always ensure that all such changes are designed and implemented in accordance with the Regulation, and that the DPO is consulted and their recommendations are taken into account in the planning and introduction of such changes.

In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the Regulation, we will carry out a Data Impact Assessment, overseen by the DPO. This will deal with:

Providing Information to Data Subjects

We are required to ensure that, when we collect and process personal data, the data subject is aware of the purposes for which this is being done, and what is happening to the data. We therefore will ensure that the following principles are followed:

Data Subject Access

‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it. Where a subject access request is being made to us as a payroll processor, we will refer the employee to the data controller (who is their employer or client) to deal with the request.

Rectification of Personal Data

Where a data subject informs us that data we are holding about them is inaccurate or incomplete and requests that it is corrected, we will rectify the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months.

Where the incorrect data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is rectified.

Erasure of Personal Data

Data subjects have a right to require the Firm to erase personal data held about them when:

Where we are obliged to do so, we will erase the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months, and again where the data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is erased.

Restriction of Personal Data Processing

Data Subjects have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing takes place, and we will inform any third parties to whom we have disclosed the data about the restriction on processing (unless it is impossible to do so or would involve disproportionate effort).

Objections to Personal Data Processing

Data subjects have a right to object to us processing their personal data based on our legitimate interests or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject, or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately.

Personal Data, Collected, Held and Processed

A: Personal details of employees, such as names, addresses, contact details, age, sex etc

Purpose: The administration of employment contracts

B: Personal details of clients, such as names addresses, contact details, age, sex etc

Purpose: To provide accountancy and related services to clients, in particular for the administration of their tax and personal financial affairs and to comply with both their and our legal obligations including in relation to tax and money laundering.

To market our services to clients, in accordance with the GDPR

C: Education and Training details of our prospective employees, employees and contractors

Purpose: Collected in the course of recruitment with a view to selection, and maintained to track their career progression

D: Financial Details of employees and contractors ie matters related to income and payroll, tax details, expenses claimed, court orders, pensions, insurance

Purpose: Collected and maintained in order to ensure timely and accurate payment of staff, and proper accounting for tax purposes

IT POLICY

Data Security – Transferring Personal Data and Communications

We will ensure that we take the following measures with respect to all communications containing personal data:

Data Storage and General Security

Access to Personal Data

In relation to accessing personal data:

Organisational Measures

The Firm will take the following steps in relation to the collection, holding and processing of personal data:

Transfer of Personal Data outside the EEA

The Firm may from time to time transfer personal data outside the EEA. This will only be done if one or more of the following applies to the transfer:

Data Breach Notification

All personal data breaches must be reported immediately to the DPO.

If such a breach occurs, and it is likely to result in a risk to the rights and freedoms of data subjects eg financial loss, breach of confidentiality, reputational damage, the DPO is required to ensure that the ICO is informed without delay and, in any event, within 72 hours of the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO also needs to ensure that the data subjects affected by the breach are informed directly and without undue delay. The following information must be provided:

Implementation of the Policy

This Policy is effective as of 22nd May 2018. No part of the Policy is retrospective in effect and applies to matters occurring on or after 25th May 2018.

This Policy has been approved and authorised by:

Name: Kailash Maunick

Position: Director

Date: 22nd May 2018

Book a free initial consultation
to see how we can help your business.