GPMG Limited T/A Green & Co Accountants and Tax Advisors takes the protection and privacy of personal data seriously. Our Fair Processing Notice’s explain how we use, protect and store personal data before, during and after being a contact of ours.
- We respect your personal data and take its security very seriously.
- We only hold what data we need for the purpose for which we obtained it.
- We delete your data when it has reached the end of its retention period.
- You have privacy rights.
- We are happy to answer your questions. Our contact details can be found at the end of this notice.
Do we transfer your personal data outside of the EU or EEA?
Your data is kept in the EU or EEA.
Do we use any automated decision making?
We do not use any automated decision making.
All our computers are fully encrypted, as are our phones and tablets.
Our preference is to use encrypted email, but we appreciate that it may not be convenient for you to do so.
Our web servers store user data on encrypted storage volumes.
Server logs are kept up to one year, after which they are deleted automatically.
You have several rights in respect of our processing of your personal data, these are:
- Access to your personal data and information about our processing of it. You also have the right to request a copy of your personal data (but we will need to remove information about other people).
- To rectify incorrect personal data that we are processing.
- To request that we erase your personal data if:
- we no longer need it
- if we are processing your personal data by consent and you withdraw that consent
- if we no longer have a legitimate ground to process your personal data or,
- we are processing your personal data unlawfully.
- To object to our processing if it is by legitimate interest.
- To restrict our processing if it was by legitimate interest.
- To request that your personal data be transferred from us to another company if we were processing your data under a contract or with your consent and the processing is carried out automated means.
If you want to exercise any of these rights, please contact us using the details below.
For more information about how we use your personal data, please read the notice that applies best to you:
Green & Co is registered with the Information Commissioner's Office (Reg No Z5061846)
Pembroke House, Llantarnam Park Way, Cwmbran, NP44 3AU
01633 871122 or firstname.lastname@example.org.
You have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner's Office
Telephone - 0303 123 1113 (local rate) or 01625 545 745
Website - https://ico.org.uk/concerns
I am a prospective client or a client
Our processing is either because we have a contract with you, you wish to have a contract with us, we have a legal obligation to process the data or the processing is a legitimate activity.
When you are a client or wish to become a client of Green & Co Accountants and Tax Advisors, we collect and process your personal data:
- in order to fulfil our contract for services with you
- to fulfil our legal obligations to prevent money laundering, fraud and terrorist financing and
- where the activity is a legitimate one for a business.
We process the following data to provide you with accountancy services and to contact you:
- Date of Birth (DOB)
- National Insurance (NI) Number
- Home phone
- Email address
- Financial data
- Employment data
- Unique Tax Reference (UTR) number
You have the right to unsubscribe to our marketing at any time. If you do choose to unsubscribe, we will keep your name and email address on a suppression list so that we don’t email you again by accident. If you are on our suppression list, you will still receive communications that are necessary to the performance of your chosen services, or notifications to avoid you missing deadlines and/or incurring penalties.
In order to provide you with the most appropriate accounting services, we may need to process the personal data of your family members (name, address, DOB and other potential personal data or financial data).
In order to comply with our legal obligations to prevent money laundering, fraud and terrorist financing, we will process some of the following data:
- Passport (name, DOB, facial biometrics, passport number, nationality, gender, place of birth, signature)
- Photo card driving license (name, DOB, signature)
- Current council tax letter or statement (name, address)
- HMRC issued tax notification (name, address, DOB, NI number)
- Current bank statements or credit/debit card statements (name, address)
- Current utility bill (name, address)
- DOB (for age verification and general identity)
In order to process the identity checks, we will use Credit Reference Agencies (CRAs). These checks are regulatory requirements.
To do this, we will supply your personal information to CRAs and they will give us information about you. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information, and fraud prevention information.
We will use this information to:
- verify the accuracy of the data you have provided to us, and
- prevent criminal activity and fraud
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
Green & Co Accountants and Tax Advisors use SmartSearch for CRA and AML purposes. To find out more about the role of SmartSearch as a fraud prevention agency, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights, visit www.smartsearchsecure.com/dpa.
How long do we hold your personal data?
We will hold your personal data that was collected for Anti-Money Laundering purposes for six years from when you cease your relationship with Green & Co Accountants and Tax Advisors. After this, it will be destroyed.
In accordance with HMRC guidance, we will hold the personal data that was collected for the purposes of providing you with accounting service, while you are a customer and for seven years. After this, it will be destroyed.
If you have started the process to become a client and then change your mind before the engagement process is underway we will destroy it immediately. If the engagement process has commenced we will hold your data for six years, after which it will be destroyed.
We will hold your name, email and phone number to send you marketing information for as long as you would like us to. If you withdraw your consent, we will hold this data for five years in a suppression list so that we don’t market to you against your wishes. This is a legitimate activity for us.
Who do we share your personal data with?
Depending on your chosen services and our requirements, we may share your personal data with the following recipients:
- HMRC for the purpose of providing your chosen services and responding to requests for information
- National Crime Agency, Action Fraud and any other competent and authorised body for the prevention, detection and investigation of money laundering, fraud or terrorist financing
- Financial Conduct Authority (FCA) for the purposes of any business activity regulated by the FCA (including Consumer Credit and Money Services)
- Financial Ombudsman Service (FOS) to resolve any complaint or dispute involving the FOS
Our software, technology applications, database providers (MailChimp, IRIS Software Ltd, Microsoft) necessary for recording, securing and updating your personal details and administering services internally as well as external communications
- SmartSearch for the purpose of identification, address, AML and bank account verification
- Companies that verify publicly available documents and information (e.g. Credit Reference Agencies, Home Office)
- High Court Enforcement Officers Association for the purposes of enforcing High Court writs to seize and sell assets to settle unpaid judgements
- Information Commissioners Office in the event of a request for information or breach
- Legal advisors and consultants
- Insurance companies
- Barclays Bank for the purpose of making payments.
I am just browsing your website
What data we hold
We generate log files from various servers. This will include an IP address assigned to you or to your internet service provider.
We use the logs from our servers to help with our company's security as well as to look at visitor behaviour, for example, which website pages get the most traffic or are the most popular.
I am a supplier
We collect and process personal data about our suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide professional services to our clients. The personal data is generally business card data and will include name, employer name, phone, email and other business
contact details and the communications with us.
We use personal data for the following purposes under legitimate interest:
- Receiving services
- Providing professional services to clients
I am a prospective employee
We ask for personal data from job candidates to assist us with our recruitment processes. If your application is successful and you become employed by us, this information will become part of your personnel/HR file. Please note that we only accept CVs for current vacancies. We do not accept CVs sent ‘on spec’ and they will be deleted upon receipt.
What data we hold
As a job candidate, we will process the following information about you:
- Name, address, contact details and work history
- Your passport
- Information about you from a referee
- We also generate log files from various servers when you access our website. This will include an IP address assigned to you or to your internet service provider.
We use your name, address, contact details and work history to assess your application. We are processing your personal data based on your consent. If you submit your CV to us, that is a clear affirmative action that indicates to us that you have consented to us processing your personal data. We will request information about you from your referees and will use this to assess your job application.
We will process your passport in order to check that you have the right to work in the UK. If you would prefer not to provide this information, we will not be able to assess your application.
We do not transfer your personal data to third parties except the following:
- Companies that provide services to us - Our telephone service providers will get to see your phone number if we call you and our broadband supplier which could see your email address.
- Cloud service providers - We use a few cloud service providers, such as our accountancy software, email providers, Google and Office 365.
- In response to a court order - It is possible, though unlikely, that we might be forced to disclose your information in response to a court order.
- CVs sent ‘on spec’ – are deleted or shredded on the day that they are received
- Candidates who are unsuccessful – personal data will be retained for 6 months in case of any Employment Tribunal Claims, after which the data will be destroyed.
I am a visitor to the office
There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to investigate an incident). We use the CCTV images for the legitimate purposes of promoting security and safety of our personnel and members of the public, preventing and detecting crime and establishing, exercising and defending legal claims. We may disclose CCTV images to law enforcement bodies as requested and permitted by data protection law.
We require visitors to sign in using a device at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to investigate an incident).
Our legal basis for processing personal data
By law, we need a legal basis for processing personal data.
We process your name because we have a legal obligation. You cannot enter our office without signing in using the device. This information is held securely. We need to know who is in the building for fire regulations.
We process your image on CCTV because we have a legitimate interest in the safety and security of our staff and visitors.
Who do we share visitor’s information with?
We share visitor’s information with the following, when required:
- The police or other law enforcement agencies if we must by law or court order
- Emergency services
- Our legal advisors
- Our insurance providers, and
- Our software and cloud service providers.