Last updated: 03/05/2018
Garbutt + Elliott (including Garbutt & Elliott LLP, Garbutt & Elliott Audit Limited and G & E Wealth Management Limited) treats the privacy of its clients, prospective clients and website users very seriously and we take appropriate security measures to safeguard your privacy.
Personal data is any information relating to an identifiable living person. Garbutt + Elliott processes personal data for numerous purposes. For each purpose the means of collection, lawful basis of processing, disclosure, and retention periods may differ.
If you have any questions, please write to the Data Protection Officer at Garbutt & Elliott LLP, Arabesque House, Monks Cross Drive, York, YO32 9GW or email email@example.com
In accordance with the Data Protection Act 1998 we are registered with the Information Commissioner’s Office (ICO) and our registration numbers are as follows:
- Garbutt & Elliott LLP – Z6117873
- Garbutt & Elliott Audit Limited – ZA189824
- G & E Wealth Management Limited – Z8633971
How we obtain your personal data
Information provided by you
You provide us with personal data via completion of electronic forms, submission of data files or over the telephone. This may also include sensitive information received directly from you in relation to the performance of services we have been engaged to, or may be engaged to carry out on your behalf.
We may also keep information contained in any correspondence you may have with us by post or by email.
The provision of this personal data is essential for us to be able to provide those services for which we have been engaged, or may be engaged. This means that our lawful basis for holding this personal data is one or more of the following:
- ‘Performance of a contract’ i.e. we have agreed under engagement terms to deliver a contract which requires us to hold and process personal information about or on behalf of our clients.
- ‘Compliance of a legal obligation’ i.e. we are required as our clients engaged advisors to submit certain legal and personal information to HMRC to fulfil our clients legal and statutory obligations.
- ‘Legitimate interests’ i.e. as accountants, tax advisors, payroll administrators and independent financial advisors Garbutt + Elliott have a legitimate interest to share with you relevant information about our services.
Information we get from other sources
We only obtain information from third parties if this is permitted by law. We may also use legal public sources to obtain information about you, for example, to verify your identity. This information (including your name, address, email address, date of birth, etc.), as relevant to us, will only be obtained from reputable third-party companies that operate in accordance with the General Data Protection Regulation (GDPR).
How we use your personal data
We use your personal data to provide, manage and fulfill those services that we have been engaged, or may be engaged to provide to you. At all times we undertake to protect your personal data, in a manner which is consistent with Garbutt + Elliott’s duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. We will always take all reasonable security measures to protect your personal data in storage and in transit. As applicable, the information you provide may be used to (this list is not exhaustive):
- Provide professional services – We provide a diverse range of professional services and financial advice. Some of our services require us to process personal data in order to provide advice and deliver our contract. For example, we will review payroll data as part of an audit.
- Administering, managing and developing our businesses and services – We process personal data in order to run our business, including:
- managing our relationship with clients;
- developing our businesses and services (such as identifying client needs and improvements in service delivery);
- maintaining and using IT systems;
- hosting or facilitating the hosting of events; and
- administering and managing our website and systems and applications.
- Security, quality and risk management activities – We have security policies and procedures in place to protect both our own and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.
We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements.
We collect and hold personal data as part of our client engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources such as internet searches and sanctions lists. These searches are to check that there are no issues that would prevent us from working with a particular client, such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues.
- Providing our clients and potential clients with information about us and our range of services – We use contact details to provide information that we think will be of interest about us and our services. For example, other services that may be relevant and invites to events.
- Complying with any requirement of law, regulation or a professional body of which we are a member – As with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
We will keep information about you confidential and secure and may from time to time share your personal data across the Garbutt + Elliott entities. We will never share personal data with any third party unless it is within our lawful basis for doing so and we will never share your data outside of Garbutt + Elliott for marketing purposes. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security policies.
Personal data held by us may be transferred to:
- Regulatory authorities like HMRC and other fraud prevention agencies for the purposes of fraud prevention and to comply with any legal and regulatory issues and disclosures;
- Any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so or if the law allows us to do so;
- Third party organisations that provide applications/ functionality, data processing or IT services to us, to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based accounting software, identity verification, data, data back-up, security and storage services;
- Third party organisations that otherwise assist us in providing goods, services or information within our lawful basis for doing so but will never include sharing data for marketing purposes;
- Auditors, other professional advisers and pension administrators.
Transfer of your personal data outside of the European Union (EU)
As part of the services offered to you, the information which you provide to us will be stored within the EU. Occasionally however, data may be transferred to countries outside of the EU via the use of services utilised by our IT providers. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
How long do we keep this information about you?
We keep information in line with the retention policy guidelines of Garbutt + Elliott. These retention periods are in line with the length of time it is considered necessary for the purpose for which it was collected. They also take into account our need to meet any legal, statutory and regulatory obligations. These reasons can vary from one piece of information to the next.
How we keep information secure
We take the security of all the data we hold very seriously. We use a range of measures to keep information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
Change in control or sale
If ownership of any part of Garbutt + Elliott changes, or we undertake a corporate reorganisation or any other action between Garbutt + Elliott entities, you expressly consent to Garbutt + Elliott transferring your information to the new owner or successor entity so that we can continue providing our services in accordance with our engagement terms.
Data subject rights
Subject access requests
The General Data Protection Regulation (GDPR) grants you, the data subject, the right to access particular personal data that we hold about you. This is referred to as a subject access request. We shall respond promptly and certainly within one month from the point of receiving the request and all necessary information from you.
Right to rectification
You have the right to request from us, without undue delay, the rectification of inaccurate personal data we hold concerning you. Taking into account the purposes of the processing, you may also have the right to have incomplete personal data completed. This may involve providing a supplementary statement to the incomplete data.
Right to erasure
You shall have the right to request from us the erasure of personal data concerning you without undue delay, unless we are required to retain information in order to fulfill our legal obligation or the holding of the data is in accordance with our lawful basis for doing so.
Right to restriction of processing
Subject to exemptions, you shall have the right to restrict the processing of your data where one of the following applies:
a) the accuracy of the personal data is contested by you
b) you believe processing is unlawful
c) you believe that we no longer need the personal data for the purposes of processing
d) you have objected to processing of your personal data pending the verification of whether there are legitimate grounds for us to override these objections
Notification obligation, regarding the rectification or erasure of personal data or the restriction of processing
We shall communicate any rectification or erasure of personal data or restriction of processing as described above to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall provide you with information about those recipients if you request it.
Right to data portability
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller, without hindrance from us.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, unless this relates to processing that is necessary for the performance of a contract carried out in the compliance of a legal obligation, public interest or an exercise of official authority vested in us. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Right to not be subject to decisions based solely on automated processing
We do not carry out any automated processing, which may lead to an automated decision based on your personal data.
Invoking your rights
If you would like to invoke any of the above data subject rights with us, please write to the Data Protection Officer at Garbutt & Elliott LLP, Arabesque House, Monks Cross Drive, York, YO32 9GW or email firstname.lastname@example.org
Accuracy of information
In order to provide the highest level of customer service possible, we need to keep accurate personal data about you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We also consider when it is necessary to update the information, such as name or address changes and you can help us by informing us of these changes when they occur.
Questions and queries
If you have a complaint
If you have a complaint regarding the use of your personal data or sensitive information then please contact us by writing to the Data Protection Officer Garbutt & Elliott LLP, Arabesque House, Monks Cross Drive, York, YO32 9GW or email email@example.com and we will do our best to help you.
If your complaint is not resolved to your satisfaction you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). For further information on your rights and how to complain to the ICO, please refer to the ICO website.