Version 1.2 | Dated: June 2020
We respect the privacy rights of individuals and are committed to handling personal data responsibly and in accordance with applicable law. This notice sets out the personal information that we collect and process as a data controller and/or a data processor, the purposes of the processing and the rights connected with it.
If you have any comments or questions about this notice, please contact the Data Protection Officer (details included within this notice).
What is a Data Controller?
For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.
The data controller is:
Oldfield Advisory LLP
What is a Data Processor?
A “data processor” is a person or organisation which processes personal data for the controller.
Oldfield Advisory LLP may act as data processors in the following situations:
- Managing your personal tax affairs, including completing personal tax returns etc.
- Carrying out projects, providing advice, or implementing company restructures where personal data is required to fulfil this contract.
- Acting as your payroll bureau, and processing your employee’s data accordingly.
What is personal data and what data do we collect?
Personal data relates to any information about a natural person that makes you identifiable. The personal data we may collect includes the following:
- Identification data – such as name, gender, photo ID (including passports, driving licenses, etc.), date of birth, NI numbers, UTR numbers, nationality, staff member IDs etc.
- Contact details – such as home and business address, telephone numbers, email addresses, emergency contact details
- Employment details – such as job title/position, sickness/holiday records, pension information (including any relevant identification numbers), previous employment details, tax codes, and/or any other details required to fulfil payroll processing duties.
- Spouse and dependents information, marital status.
- Financial information – such as banking details, tax information, salary, benefits, expenses, company allowances, and/or any other income/pensions/savings interest amounts required in order to process personal tax returns or fulfil payroll duties.
- IT information – information required to facilitate access to our clients’ servers/computers if required to access accounting programmes etc.
What is sensitive personal data?
Sensitive personal data refers to the above but includes genetic data and biometric data. For example:
- Medical conditions
- Religious or philosophical beliefs and political opinions
- Racial or ethnic origin
- Biometric data (eg photo in an electronic passport)
Generally, we try not to collect or process any sensitive personal data relating to our clients, or our clients’ employees, unless authorised by law or where necessary to comply with applicable laws.
What is Data Processing?
Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.
Why do we collect your personal data?
Oldfield Advisory LLP, as a Data Controller and/or a Data Processor, is bound by the requirements of the General Data Protection Regulations (GDPR).
You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge our services (as defined in our Letter of Engagement and scope of service) and for other related purposes including;
- Updating and enhancing client records
- Analysis for management purposes
- Statutory returns
- Legal and regulatory compliance
- Crime prevention
We collect information about you when you fill in any of the forms on our website i.e. sending an enquiry, signing up for an event, filling in a survey, giving feedback etc. Website usage information is collected using cookies (please see section below).
When submitting forms on our website we may use a third-party software provider for automated data collection and processing purposes, they will not use your data for any purposes and will only hold the data in line with our policies.
How will we use the information about you and why?
At Oldfield Advisory LLP we take your privacy seriously and will only use your personal information to provide the services you have requested from us, detailed in your Letter of Engagement and scope of service and as we have identified above. We will only use this information subject to your instructions, data protection law and our duty of confidentiality.
Our legal basis for collecting and using the personal data described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal data from you only where we have your consent to do so, where we need the personal information to perform a contract with you, your business or your employer (i.e. provision of services), or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal data from you or may other otherwise need the personal information to protect your vital interests or those of another person. Further information on this is set out below.
Contractual purposes – We use this personal information when it is necessary for the provision of our services, in line with the purposes agreed upon between our client and Oldfield. Examples include managing personal tax affairs, provision of payroll services, corporate restructure work etc. This also includes steps taken at your request before entering into a contract.
Legal obligation – We may use personal information where we consider it necessary for complying with laws and regulations, including collecting and disclosing staff member or individual personal information as required by law (e.g. for tax purposes), for meeting our legal responsibilities in terms of money laundering, terrorist financing and crime prevention regulations, under judicial authorisation, or to exercise or defend the legal rights of our firm.
Legitimate interests – We may also collect and use personal information when it is necessary for other legitimate purposes (if we have a genuine reason and we are not harming any of your rights and interests), such as to help us conduct our business more effectively and efficiently. We may also process your personal data to investigate violations of law or breaches of our own internal policies.
We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed without authorisation and only accessed or used for specific legal purposes.
Who we share personal information with
We take care to allow access to personal information only to those who require such access to perform their tasks and duties in relation to the provision of our services, and to third parties who have a legitimate interest purpose for accessing it to support these purposes. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this notice and that the security and confidentiality of the information is maintained.
Transfers to other third parties
We may also disclose personal information to third parties on other lawful grounds, including:
- To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process, including, but not limited to, a subpoena, government audit or search warrant
- In response to lawful requests by public authorities (including for national security or law enforcement purposes)
- As necessary to establish, exercise or defend against potential, threatened or actual litigation
- Where necessary to protect the vital interests of our employees or another person
- In connection with the sale, assignment or other transfer of all or part of our business; or
- With your expressed consent
Transferring your information outside of Europe
As part of the services offered to you through this website, the information which you give to us may be transferred to countries outside the European Economic Area. For example, some of our third-party providers may be located outside of the EU. Where this is the case we will take steps to make sure the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy. By submitting your personal data, you’re agreeing to this transfer, storing or processing. Where our third-party supplies are in the US we have ensured that their services fall under the “Privacy Shield” whereby participating companies are deemed to have adequate protection and therefore facilitate the transfer of information from the EU to the US.
If you use our services while you are outside the EU, your information may be transferred outside the EU to give you those services.
We would like to send you useful articles, advice, information about our services and events which may be of interest to you. If you have consented to receive marketing, you may opt out at any point as set out below, or by clicking on the ‘unsubscribe’ button on any marketing email.
We may collect information on our website to process your enquiry, deal with your event registration, give advice based on survey data and improve our services. If you agree, we will also use this information to share updates with you about our services which we believe may be of interest to you.
You have a right at any time to stop us from contacting you for marketing purposes. To opt out please email: firstname.lastname@example.org
We will not share your information for marketing purposes with companies so that they may offer you their products and services.
How long will we hold your data for?
- Marketing: We will hold your data for a period of 6 years. You will have the opportunity to opt out or update or delete data at any point should you need to do so and details are set out in this policy as to how to do that.
- Contracted Services: We will hold your data for 7 years in line with our regulatory requirements.
Your data privacy rights
The following rights are available under applicable data protection law:
- Access, correct, update or request deletion of personal information
- Object to processing of personal information, ask us to restrict processing of personal information or request portability of personal information.
- If we have collected and process personal information using a person’s consent, then this can be withdrawn at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, nor will it affect processing of personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of personal information. For more information, please contact your local data protection authority. In the United Kingdom, the data protection authority is the Information Commissioner’s Office whose website is https://ico.org.uk/
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
Please note, our ability to facilitate aspects of any of the above rights will depend on whether we are a Data Processor or a Data Controller in relation to any specific data. Any requests received relating to data processed on behalf of clients should be referred to the Data Controller (the client company).
Access to your information, correction, portability and deletion
What is a Subject Access Request?
This is your right to request a copy of the information that we hold about you. If you would like a copy of some or all your personal information, please email email@example.com or write to us at the following address: Data Protection Officer, Oldfield Advisory LLP, Santis House, Curriers Close, Coventry, CV4 8AW. We will respond to your request within one month of receipt of the request.
We want to make sure your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by emailing firstname.lastname@example.org or writing to the above address.
Objections to processing of personal data
It is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” apply. The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claims.
It is also your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:
(a) The processing is based on consent or on a contract, and
(b) The processing is carried out by automated means
Your Right to be Forgotten
Should you wish for us to completely delete all information that we hold about you please let us know by:
- Email: email@example.com, or
- In Writing to: Data Protection Officer, Oldfield Advisory LLP, Santis House, Curriers Close, Coventry, CV4 8AW.
If you feel that your personal data has been processed in a way that does not meet the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell you of the progress and outcome of your complaint. The supervisory authority in the UK is the Information Commissioner’s Office.
Please address any questions or requests relating to this Notice to our Data Protection Officer at firstname.lastname@example.org or write to:
Data Protection Officer
Oldfield Advisory LLP