This Notice outlines the data protection policies and procedures we have adopted and to which we abide to ensure we are GDPR compliant. The purpose of this Notice and any other documents referred to in it, is to clearly list and identify the legal requirements, procedures and rights which must be established when we obtain, process, transfer and/or store your personal data. This Notice will assist you in understanding the obligations, responsibilities and rights which arise from the Data Protection Laws.
Everyone has rights with regard to the way in which their personal data is handled. In order to operate efficiently we need to collate and use information about the people with whom we work. This includes current, past and prospective employees, clients, and others with whom we communicate
We regard the lawful and correct treatment of personal information as integral to successful operation and to maintaining the confidence of the people we work and communicate with. To this end we fully endorse and adhere to the principles of the relevant Laws.
We areregistered as a Data Controller on the Register kept by the Information Commissioner's Office.
Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.
Data Controller: CNC Accounting Services Limited has determined the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws. Any questions about the operation of this Notice or any concerns that the Notice has not been followed should be referred in the first instance to The Data Controller at 1 Regal House, 33-35 Cantelupe Road, East Grinstead, West Sussex RH19 3FU.
Privacy Manager: Chris Cabrera is the appointed officer who is responsible for awareness-raising, training staffand informing and advising the Data Controller, Data Processors and Data Users how to ensure compliance with the enactments, and to monitor that compliance. They can be contactedat 1 Regal House, 33-35 Cantelupe Road, East Grinstead, West Sussex RH19 3FU.
Data Processor: Any person or organisation that is not a Data User that processes personal data on our behalf and in accordance with our specific instructions. Our staff will be excluded from this definition but, the definition could include suppliers who handle personal data on our behalf.
Data Subjects: All living individuals about whom we hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.
Data users: Our employees whose work involves processing your Personal Data. Data users are responsible forthe proper use of the data they process and must protect the data they handle in accordance with this Notice.
The Enactments: The Data Protection Act 1998 (the Act) up to and until 25 May 2018 after which The General Data Protection Regulations 2017 (GDPR) will apply, both of which regulate the way in which all Personal Data is held and processed.
Personal Data: Information which can be used to directly or indirectly identify a living individual.
Processing: Any activity in which the data is used, including (but not limited to) obtaining, recording, organising,amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term "processing" also includes transferring personal data to third parties.
SupervisoryAuthority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by in a particular EU state. In the case of the UK the Supervisory Authority is the: Information Commissioner's Office.
Sensitive Personal Data: This includes information about a person's race, ethnicity, political opinions, convictions, religion, trade union membership, physical and/or mental health, and sexual preference. Sensitive personal data can only be processed with the express written consent of the person concerned
In accordance with the GDPR anyone processing Personal Data must comply with the six principles of good practice. These provide that Personal Data must:
For Personal Data to be processed lawfully, the basis for the processing must be one of the legal grounds set out in the Enactments. These include, among other things, your written consent to the processing, or that the processing is necessary for the performance of our accounting contract with you.
In the event we collect Personal Data directly from you, this Notice should assist in informing you about:
If we receive Personal Data about you from other sources, we will provide you with this information as soon as possible thereafter.
When sensitive personal data is being processed, additional conditions and securities must be in place to ensure protection.
In the course of our business, we shall process the Personal Data we receive directly from you (for example, by you completing forms, sending us papers or from you corresponding with us by mail, phone, email or otherwise) and your Personal Data which we receive from any other source.
We shall only process your Personal Data to fulfil and/or enable us to satisfy the terms of our obligations and responsibilities in our role as your Accountant or for any other specific purposes permitted by the Enactments. Should we deem it necessary to process your Personal Data for purposes outside and/or beyond the reasons for which it was originally collected, we will contact you first, to inform you of those purposes and our intent and may also apply for your consent.
We will only collect and process your Personal Data as required to fulfil the specific purpose/s of our contract and agreements with you.
We shall ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data is inaccurate, you are entitled to contact us and request that your Personal Data is amended. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
We will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Once Personal Data is no longer required, we will take all reasonable steps to destroy and erase it.
Our employees and contracted personnel are bound to our privacy policies, procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.
We maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and when we do so we abide by the following definitions:
We also maintain security procedures which include, but are not limited to:
We shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.
We shall only transfer your Personal Data to a Data Processor (a Data User outside our business) if the Processor agrees to comply with our procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which we consider adequate and are in accordance with the Enactments.
We shall only transfer any Personal Data we hold to a country outside the European Economic Area ("EEA"), if one of the following conditions applies:
The Personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those Data Users may be engaged in, among other things, the fulfilment of contracts with you, such as the processing of payment details and/or the provision of support services.
We will only collect and process your Personal Data to the extent that it is needed to fulfil our operational and contractual needs or to comply with any legal requirements.
We shall access and use your Personal Data in accordance with your instructions and as is reasonably necessary:
There are times when we may need to share your Personal Data. This section discusses how and when we might share your Data.
In the course of us fulfilling our role as your accountant it will be necessary for us to disclose your Personal Data in certain situations:
We will process and manage all your Personal Data in line with your rights;in particular your rights to:
You are entitled to request access to your Personal Data unless providing a copy would adversely affect the rights and freedoms of others.
You can also request information about the different categories and purposes of data processing; recipients or categories of recipients who receive your Personal Data, details on how long your Personal Data is stored for, information on your Personal Data's source and whether the Data Controller uses automated decision-making.
You also have "Data Portability" rights which includes the right to request a copy of your Personal Data be sent to you or transmitted to another Data Controller.
You are entitled to request we correct or complete your inaccurate or incomplete Personal Data without undue delay and we will update the information and erase or correct any inaccuracies as required.
You can exercise your "right to be forgotten" and can request we erase your Personal Data. Once receiving a request we must erase the Personal Data without delay, unless an exception applies that permits us to continue processing your data. Details of such exceptions are contained in the Enactments and include situations where we might need to retain the information to carry out our official duties and/or comply with legal obligations and/or for the establishment of exercising or defending legal claims, or it is in the public interest to retain your Personal Data.
You may request restrictions be applied to the processing of your Personal Data for some specific reasons such as you contest the accuracy of the data, the processing is unlawful or if we no longer need to process your Personal Data. You can also request restrictions be applied if the processing is being done for public interest or third party reasons.
If such a request is received we can continue to store your Personal Data, but may only process it under certain circumstances, such as: you give consent for us to continue processing your data, we need to establish, exercise, or defend legal claims or we need to protect the rights of another individual or legal entity or for important public interest reasons.
You may also object to your Personal Data being processed under certain circumstances, including for direct marketing purposes and profiling related to direct marketing.
If we receive such an objection we will stop processing your Personal Data unless we can show a compelling legitimate ground for processing your Personal Data which overrides your interests and the basis of your request.
When receiving telephone enquiries, in which Personal Data is requested we will only verbally disclose Personal Data held on our systems if we can confirm the caller's identity so as to ensure that the data is only given to a person who is entitled to receive it.
We may suggest that a caller put their request in writing to assist in establishing the caller's identity, and to enable us to clearly record the nature of the request and to assist in further identity checks.
If we have reasonable doubts about the identity of the person making the request, we may request additional information to confirm the caller's identity.
In difficult situations our Data Users may refer a request to their line manager for assistance.
When responding to written requests Personal Data will only be disclosed if we can confirm the identity of the sender and/or sufficient supporting evidence is provided by the sender establishing their identity.
Upon receiving a request from you concerning your Personal Data, we will respond within one month of receiving the request by email (unless you request a response in an alternative format).
If we are unable to immediately comply with your request we will inform you within our response stating whether we need to extend our response time (for up to a maximum of two months), along with an explanation for the delay.
If we do not take any action within one month after receiving your request, you are entitled to request an explanation from us as to why no action was taken and you may make a complaint to the ICO: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF (Tel: 0303 123 1113) (email. casework@ico.org.uk)
When responding to Personal Data requests we will provide the information upon your payment of an administrative fixed fee of £10. Once the GDPR comes into force, we will not be entitled to charge for the provision of your personal data, unless the requests are manifestly unfounded or excessive, particularly if it is repetitive in which case we may refuse to act on the request, or apply further fees to cover the associated administrative costs.
If you feel that your questions or concerns regarding your Personal Data have not been dealt with adequately or that your request has not been fulfilled by us, you can use our complaints procedure, by emailing us at enquiries@cncas.co.uk
If, at the conclusion of our complaints procedure you do not feel that we have adequately dealt with your complaint you may make a complaint directly to ICO: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF (Tel: 0303 123 1113) (email. casework@ico.org.uk).
We keep our privacy policy under regular review and reserve the right to amend and update the policy as required. Where appropriate, we will notify you of those changes by mail, email and/or by placing an updated version of the policy on our website.