Privacy Policy

1. Privacy laws

The processing of your personal data is governed by the General Data Protection Regulations (GDPR), enacted in the UK by the Data Protection Act 2018.

2. The capacities in which we process data

In providing you with our services, we may act both as

 a) A controller of personal data (as defined by Article 4(7) GDPR) with respect to any processing for which we determine the purpose and means. This includes data that we obtain from you in order to facilitate the administration of our business relationship and the fulfilment of our contract with you, and;

 b) A processor of personal data (as defined Article 4(8) GDPR) with respect to the processing of data you share with us in order to fulfil a purpose determined by you.

3. The purposes of this privacy notice are:

 a)To inform you about our processing of your data as a controller, in accordance with the ‘transparency’ requirement of Article 13 GDPR.

(NB: All of the following sections of this privacy notice, except Appendix A, relating to our processing of your data in this capacity), and;

 b)To establish the legal basis and other stipulations upon which we process data as a processor under 2(b) in accordance with Article 28 GDPR (see Appendix A).

4. The types of personal data we collect

The personal data we use may include, but is not limited to:

 Your name, address and contact details, including email address and home and mobile telephone numbers

 Identification data, including passport & driving licence

 Financial data including bank account and payment card details

 Date of birth and gender

 Family & beneficiary details for insurance, estate and pension planning services

 Financial information (e.g., taxes, payroll, investment interests, pensions, assets, bank details)

 Calendar data and other details of your activities and whereabouts

 Personal preferences and requests

 The terms and conditions of your contract with us for the provision of our services.

We may also collect Special Category Personal Data

 Personal identification documents that may reveal race, religion or ethnic origin

 biometric data of private individuals, beneficial owners of corporate entities, or applicants

 Expense receipts submitted for individual tax or accounting purposes that reveal affiliations with trade unions or political opinions

 Adverse information about potential or existing clients that may reveal criminal convictions or offences information, or

 Information provided to us by our clients in the course of a professional engagement.

5. How we collect the personal data

Data might be collected through:

 Electronic, written or verbal correspondence with you

 Meetings in person, or

 Indirectly from sources such as public registers

6. Providing your personal data

We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide services to you.

7. What we use your personal the data for

Provision of professional services

 To provide you with accounting, wealth management or estate planning services at your request

 As necessary to support the contract with you and to allow us to receive full payment for those services

Business purposes

 As necessary for our own legitimate interests or those of other persons and organisations, subject to your rights and freedoms as a data subject

For good governance, accounting, and managing and business operations both internally and by third parties

 For surveys of client experience and quality of our services

 To monitor emails, calls, other communications

 For market research, other surveys and analysis and developing statistics for improving business performance.

To comply with a legal obligation

 When you exercise your rights under data protection law

 For the establishment and defence of legal rights

 For activities relating to the prevention, detection and investigation of crime

 To investigate complaints, legal claims and data protection incidents.

8. The legal basis for processing

In providing you with professional services, we will process your personal data under Article 6 (1)(b) of the General Data Protection Regulations, on the legal basis that processing is necessary for the performance of a contract for the provision of our services, or in order to take steps at your request prior to entering into a contract, or in order to fulfil your instructions during the execution of that contract.

In addition, we may process your personal data on the following legal bases

 Consent: where you give your consent for the processing – Article 6 (1)(a)

 Legal obligation: the processing is necessary for compliance with a legal obligation – Article 6 (1)(c)

 Vital interests: the processing is necessary to protect someone’s life – Article 6 (1) (d)

 Public interest: the processing is necessary to perform a task in the public interest – Article 6(1)(e)

 Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third-party – Article 6 (1) (f). In such cases, the legitimate interest of the processor will be balanced against the rights and freedoms of the data subject to ensure no detriment is caused to the latter.

Where we process special category data, we do so on the basis of your consent – Article 9(2)(a)

In addition, we may process your special category data on the following legal bases

 Vital interests of the Data Subject – Article 9 (2) (c)

 Substantial public interest – Article 9 (2) (g)

 Public interest in the area of public health such as protecting against serious cross border threats to health – Article 9 (2) (i)

9. Sharing of your personal data

Subject to applicable data protection laws we may share your personal data with

 Subsidiary companies within the Oasis Accounting group

 Other organisations necessary for the provision of our services and who require your data in order to meet that requirement

 Our legal and other professional advisors

 Fraud prevention agencies, credit reference agencies, and debt collection agencies

 Government bodies and agencies in the UK and overseas (e.g. HMRC) who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner’s Office

 Courts, to comply with legal requirements, and for the administration of justice

 In an emergency or to otherwise protect your vital interests

 To protect the security or integrity of our business operations and other clients

 Payment systems and providers and

 Anyone another party where we have your consent or as required by law

10. Transfer of personal data

In order to facilitate our provision of professional services, we may employ the services of professionals in other countries. Where such processors are located in a country outside the European Union (a ‘third country’) that has not been declared as having an adequate data protection status, the transfer will be subject to a legal instrument providing appropriate safeguards in accordance with Article 46 GDPR.

11. How long do we keep your data?

We will take steps to erase payment data held by us as soon as it is no longer required. Data relating to taxation will be kept for five years from the end of the tax year to which the data relates. Other information will be kept for a maximum period of five years from the date of the termination of our professional relationship or from the last date on which we provide services to you whichever is the earlier, but may be held for longer periods where any of the following apply

 Retention in case of queries. We will retain your personal data as long as necessary to deal with any outstanding queries you may have

 Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us and

 Retention in accordance with legal and regulatory requirements.

12. Your rights under the applicable data protection law

Your rights are, where applicable:

 The right to be informed about the processing of your personal data

 The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed

 The right to object to the processing of your personal data

 The right to restrict processing of your personal data

 The right to have your personal data erased (the “right to be forgotten”)

 The right to request access to your personal data and information about how we process it

 The right to move, copy or transfer your personal data (“data portability”) and

 Rights in relation to automated decision-making including profiling

You may exercise these rights by contacting us using the details given at the top of this Notice. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

13. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us using the details given at the top of this Notice.

You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Appendix A

Stipulations for acting in the capacity of a data processor

The data we process under 2(b) above will consist of data provided to us by you as its controller, in order that we may carry out processes specified by you. Where such data relates to other data subjects (your employees , contractors, clients or others) we will process it on the understanding of your compliance with the provisions of the GDPR and, in particular, that

• You have met the transparency requirements of Article 13 GDPR in respect of informing those data subjects about your sharing of their data with us and our processing of it, and
• You have established and documented legal bases for the processing of their data and, in particular, any special category data. Where such legal bases include the consent of the data subject, you have obtained, and documented, informed and freely given consent.

In acting as a data processor on your instructions, we confirm that we shall respect the privacy rights and freedoms of those data subjects whose data you share with us. In particular, and in accordance with the requirements of Article 28 GDPR, we shall

 Only act on your documented instructions, unless required by law to act without such instructions or it is in the vital interests of the data subject to do so

 Ensure that people processing the data are subject to a duty of confidence

 Take appropriate measures to ensure the security of processing

 Only engage a sub-processor with your prior authorisation and under a written contract that contains all of the technical and organisational measures necessary to ensure compliance with these stipulations and any other GDPR requirement relevant in the circumstances

 Take appropriate measures to assist you to respond to requests from individuals to exercise their rights under GDPR

 Taking into account the nature of processing and the information available, assist you in meeting GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments

 Delete or return all personal data to you (at your choice) at the end of the contract, unless the law requires its storage; and

 Submit to inspections.