This is the privacy notice of RK Bookkeeping Services. In this document, "we", "our", or "us" refer to RK Bookkeeping Services.
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would be grateful if you could contact us first if you have a complaint so that we can try to resolve it for you.
This privacy statement informs you about how we collect, record and process information about you, whether provided by you, or by another person or organisation. It applies to information that could identify you as an individual (“personal information”) along with information that does not, such as that which relates to your business. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
We are committed to the protection of your privacy and confidentiality. We recognise that you are entitled to know that your data will not be used for any unintended purpose, and will not accidentally fall into the hands of a third party.
We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.
We have in place procedures and training for data protection, confidentiality and information security. These are regularly reviewed to ensure that they remain effective.
Our policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR). The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your personal data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org
Except as set out below, we do not share, sell, or disclose to a third party, any information collected about you.
Data we process
We aim to process data, whether personal data or not, only to the extent necessary for us to provide our clients with our services and for other agreed purposes.We may aggregate information in a general way and use it to provide class information. If we use it for this purpose, you as an individual will not be personally identifiable.
If you are a personal client, personal data that we may process may include
- identity information (including name, title, date and place of birth and gender)
- contact information (including billing address, email address, telephone numbers)
- business information (including trading name, address, registration number)
- information about your family members (such as PEP status), and
- financial information (such as that relating to your income, expenses, taxation and investments, and bank account information).
We do not process any information deemed to include ‘sensitive data’. This would include information regarding race or ethnic origin, health and medical history, sexual life and orientation, genetic of biometric data, or your political, religious or philosophical opinions or beliefs. We do not collect any information about criminal convictions and offences.
In most cases, your personal data will have been provided to us by you. However, with your consent, or if it is necessary in order to provide you with our services, we may have obtained your personal data from a third party source.
Third parties connected to clients and suppliers
We may process your personal data if you have a personal or business connection with any of our clients or suppliers. For example, you may be a family member, business partner, other adviser, supplier or client.
The data we process may include contact information, information about business activities, information about partners, directors, employees, information relating to employment remuneration and payroll, and financial information such as that relating to income, expenses, taxation and investments. We may be given your personal data by our clients or suppliers, or by third parties acting on the instructions of a client or a supplier.
We ask our clients and suppliers to bring this privacy notice to your attention as soon as they become aware that we process your personal data.
If you supply our business with goods or services, including subcontracted services that we supply to our clients, then we may process your personal information. However, we do so only to the extent necessary to contract with you.
In most cases, your personal data will have been provided to us by you. However, sometimes we use third parties such as credit rating agencies to make decisions regarding our relationship.
The bases on which we process personal information
The law requires us to determine under which of six defined bases we process different categories of your personal information, and to notify you of the basis for each category. If a basis on which we process your personal information is no longer relevant then we shall immediately notify you of the change of basis, or stop processing your data if necessary.
Information we process because we have a contractual obligation
We may process personal information when a contract has been formed with our business and processing is necessary to carry out our obligations under that contract, or when processing personal data is necessary in order to form a contract. We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.
Information we process because we have a legal obligation
Sometimes, we must process your information, including personal information, in order to comply with a statutory obligation. These include our obligations under Anti-money laundering legislation, and to give information to legal and tax authorities if so requested, or if they have the proper authorisation such as a search warrant or court order.
Law will also dictate the period over which this data needs to be stored.
Information we process for the purposes of legitimate interests
We may process information on the basis there is a legitimate interest, either to you or to us, of doing so. Where we process your information on this basis, we do after having given careful consideration to whether the same objective could be achieved through other means, whether processing might cause you harm and whether you would expect us to process your data.
For example, we may process your data on this basis for the purposes of:
- record-keeping for the proper and necessary administration of our business
- responding to communication from you to which we believe you would expect a response
- protecting and asserting the legal rights of any party
- insuring against or obtaining professional advice that is required to manage business risk
- protecting your interests where we believe we have a duty to do so
Information we process with your consent
Specific uses of information you provide to us
Communicating with you
When you contact us, whether by telephone, through our website or by e-mail, we collect the data you have given to us in order to reply with the information you need. We record your request and our reply in order to increase the efficiency of our business. We keep personally identifiable information associated with your message, such as your name and email address so as to be able to track our communications with you to provide a high quality service.
Managing our relationship and contract with you as a client
Dealing with complaints
When we receive a complaint, we record all the information you have given to us and we will use that information to resolve your complaint. If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.
If the complaint relates to information on our website and we feel it is justified or if we believe the law requires us to do so, we shall remove the information while we investigate.
Legal requirements and risk assessments
As part of Anti money laundering legislations, your data will be processed by us to perform a new client risk assessment. This will also be reviewed periodically or if you inform us of any changes. This involves collecting and storing personal, contact and financial information and making a judgement on the risk of the practice being able to identify money laundering if it occurs. This data will also be stored for a period dictated by AML legislation. If it is required to be held for longer than this period, we will only do so with your explicit consent.
Other than detailed in this policy, we do not sell or share any personal data with third parties unless we have explicit consent to do so from the data subject.
Use of information we may collect through automated systems when you visit our website
Cookies are small text files that are placed on your computer's hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience. In some cases, they can also provide the website owner with statistics about how you use the website so that it can be improved. Some cookies may last for a defined period of time, such as one day or until you close your browser, others last indefinitely. Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.
Website Contact Form
Any information entered into our website contact form will create an email which is sent directly to us. This is stored alongside any normal emails with no information stored directly on our website.
Disclosure and sharing of your information
Your data may be shared internally and with our continuity partner if necessary. We may also have to share your personal data with the 3rd parties set out below (but not limited to) to allow us to perform the required activities as detailed in this policy
- HM Revenue & Customs. HMRC may, at times, request information about you. For example, this may be provided in the case of being able to discuss your affairs with them on your behalf.
- Email service. We will endeavour not to send personal information by email unless expressly requested by yourself. Any information provided by you via email is held securely or downloaded from the servers and held in a more appropriate manner.
- Accounting Software. Contact information will be held within our accounting software to allow for communication for invoicing and payments. Other information such as Date of birth, gender etc will not be stored. This will be stored for the required amount of time set out by HMRC for retension of financial business records.
- Data storage and transfer. We use OneDrive Business for data transfer between clients and data storage. Personal data may be stored within our OneDrive Business account but will only be shared with yourselves to allow effective processing. The information will never be shared with anyone else.
The above is based on our understanding that any 3rd party processors we use as a business are GDPR compliant (see Data security below). If you require us to use any other systems for processing this will be done under your express instructions. It will also be performed on the basis that you have carried out sufficient due diligence that the system conforms with the to required regulations.
Any PCs with data stored have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed such as using password protection with access limited to practice members. All electronic data is backed up daily to OneDrive for Business and periodically to an external source held securely at our registered address.
No hard copies of personal data will be held by us unless provided by you to allow initial processing (such as initial copies of identity documents or financial documents for processing per contracted agreements). Where these are held, they will be held securely, with access limited to members of the practice, and will be destroyed securely, or handed back to you, as soon as practicable.
We limit access to your personal data to the practice members only (including our continuity partner if required), unless detailed in this policy. Procedures are in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes.
Your Data may be processed outside the European Union (EU). Our website and email services are hosted in the UK but we also use outsourced services which may store and process data outside of the EU (for example our accounting software and storage). We ensure that we only use suppliers who are GDPR compliant and have sufficient safeguards in place such as
- specific GDPR processor agreements;
- are based in countries that have been deemed to provide an adequate level or protection by the European Commission (such as New Zealand)
- are members of the EU-US Privacy Shield (for providers based in the United States requiring them to provide a similar protection to personal data shared between Europe and the US.
If you require more information on where data is stored by our third-party suppliers, please send us a request by email.
Access to your own information
Access to your personal information
Please make sure you keep us informed if any information needs to be updated.
Removal of your information
Verification of your information
When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
Retention period for personal data
Except as otherwise mentioned in this privacy notice, we keep your personal information only for as long as required by us:
- to provide you with the services you have requested;
- to comply with other law, including for the period demanded by our tax and AML authorities;
- to support a claim or defence in court.
In determining an appropriate retention period we may also consider the amount, nature and sensitivity of the information, along with the potential risk of harm from unauthorised use.
Compliance with the law
We may update this privacy notice from time to time as necessary.