Data Protection Act 1998 and EU General Data Protection Regulation (GDPR) Consent Form
DL Accounts Ltd ensures that we are compliant with all Data Protection Legislation, including the Data Protection Act 1998 and the EU General Data Protection regulation (GDPR) due for enforcement with effect from 25thMay 2018.
DL Accounts Ltd collects, processes, stores and shares information in accordance with this legislation. More information can be found in our Data Protection Policy and Privacy Notice.
The GDPR states that organisations shouldn’t process or retain extraneous personal data. That means data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. DL Accounts Ltd complies with this.
Lawful Bases for Processing Personal Data
The business has identified the lawful bases processing data and documented these in our GDPR Policy.
People Who Use Our Services
We have to hold the details of the people who have requested our services in order to provide it. However, we only use these details to provide the service the person has requested for example, for the production of accounts and submission of a tax return or processing of Payroll, as per the client contract.
We may also use the details for other closely related purposes. For example, if we are asked to provide information on a client’s behalf to finance or mortgage providers, or submit pension contribution information to a designated pension provider.
Applicants and Employees
All of the information provided during the recruitment process will only be used for the purpose of progressing a job application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information provided during the recruitment process with any third parties for marketing purposes or store any information outside of the European Economic Area. The information provided will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We only ever use the contact details provided to us to contact an applicant to progress their application. Other information provided will be used to asses an applicant’s suitability for the role they have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess suitability for employment.
For all successful applicants, the information provided during the application process will be retained by us as part of an employee’s file for the duration of their employment plus 6 years following the end of their employment.
The business is registered with the Information Commissioner’s Office (ICO) as required by law to do so.
Individuals have a right to lodge a complaint with the ICO if they so wish.
What Data does DL Accounts Ltd Collect?
DL Accounts Ltd collects different types of client data.
We regularly map the data we collect, and document the Personal, Sensitive and Financial Data held, when and where data comes from, the legal basis for processing data, when data is updated, how long data is retained for and on what basis, where the data is stored and processed and who the data is to disclosed to and why.
We collect data from a variety of sources, and these are documented in our GDPR Policy.
What is Personal, Financial and Sensitive Data?
- Personal Data is data which can be used to identify you, and includes name, date of birth, address, telephone number(s), emails etc.
- Financial Data is data that includes things like National Insurance Number, UTR (Unique Tax Reference Number), Taxation Records, Bank Account/Credit Card/Loan Agreement/Mortgage details, business accounts, income records such as P45’s or P60’s, pension information, Attachment of Earnings Orders.
- Sensitive Data is information related to any of the following : racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
The only sensitive data DL Accounts Ltd may have access to is in relation to the employees of payroll clients when a GP Fit Note is submitted.
- DL Accounts Ltd also uses CCTV for the purposes of crime prevention in its offices located in Burton House, Trinity Street, St Austell.
Where does DL Accounts Ltd Store Data and How is this Stored Securely?
DL Accounts Ltd stores data in a variety of formats, including :
- Manual/Paper Records
- Electronic Records : For example, Word, Excel, PDF documents, emails (Outlook) etc.
- Software Records : For Example data held in specialist accounting software packages and apps such as Xero, Sage, Quick Books, Kash Flow, Receipt Bank, 1 Tap, Tax Calc, Moneysoft Payroll Manager and Practice Ignition.
- In-House Managed Systems : For example, our internal Access Database.
- Externally Hosted Services : For example our website, Facebook and Twitter.
- Microsoft Cloud Service
DL Accounts Ltd stores all Data Securely:
The business and its staff treats security of data with the utmost importance, and employs suitable methods to protect the security of data including (but not limited to) :
Encryption, data access levels, strong passwords, HTTPS, firewalls, anti-virus and anti-malware protection, regular password protected back-ups and software updates, monitoring, regularly identifying areas that may be of a higher risk, and completing Data Protection Impact Assessments (DPIA) for these processing areas.
Latest updates to software containing the most up to date security features are also installed as required.
Under the GDPR, DL Accounts Ltd have a general obligation to implement technical and organisational measures (Data Protection by Design), to show that we have considered and integrated data protection into our processing activities, which we comply with.
We operate a multi-level security policy in order to protect data stored as above.
We only ever work with partners who are also GDPR complaint.
How Long does DL Accounts Ltd Store Data?
DL Accounts Ltd never stores data for longer than necessary.
We adhere to HMRC guidelines for the retention of data and also standard practice.
Data is usually kept for 7 years to comply with HMRC guidance, although in some cases it may be less.
A full list of retention periods is included in our client consent documents and also in our data mapping records.
How does DL Accounts Ltd Use Data?
Your data will be used for the purpose of providing you with your designated service as detailed in the contract you have with us, and also to fulfil statutory obligations with HMRC.
Services include those detailed below, and may change to reflect the needs of clients. However, we only ever use data with consent of clients.
- Production of Accounts
- General Book Keeping
- Completion of Tax Returns (Self Assessment, Corporation Tax, VAT, Capital Gains)
- Companies House Submissions
- Payroll processing
- CIS processing
- Pension processing including submission of information to Pension providers.
- Provision of Information to Mortgage and Finance providers or other Third Parties
- Accountant’s Advice
Your data will be also used for the purpose of meeting legal obligations, for example Company Law compliance, Companies House submissions, Taxation Compliance or compliance with statutory requirements, for example providing RTI to HMRC in relation to PAYE. It will also be used to fulfil contractual obligations, for example, providing pension contribution information to pension providers such as (but not limited to) NEST and Worker Pension Trust.
DL Accounts Ltd might also use your details such as business name, logo, and business description from time to time on the ‘Clients’ section of our website (www.dlaccounts.co.uk) for marketing purposes.
How will DL Accounts Ltd Share Data?
We will only ever share your information with your permission, and for the purposes we have stated above unless we are required to do so by law.
Disclosure of Personal Information
In most circumstances we will not disclose personal data without consent.
However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.
In some circumstances we can pass on personal data without consent for example, to prevent and detect crime.
How does DL Accounts Ltd Keep Data Up to Date?
We regularly review client data and information, for example through client meetings, emails, telephone calls and also prior to the submission of Tax returns to HMRC when accounts are ‘signed off’ by clients.
We also review data and information annually as part of the 12 month contractual cycle.
Whenever we are notified that data and information is or inaccurate we update this immediately.
Right To Be Forgotten
The GDPR gives any individual the right to request the erasure of their personal data, when there is no compelling reason for its processing. Article 17 outlines the different circumstances under which someone can exercise the right to erase their personal data.
DL Accounts Ltd will erase data if a request is made either verbally or in writing and if :
- the data is no longer necessary to serve the purposes for which it was originally processed;
- if the subject withdraws consent or has a rightful objection to the processing and there are no overriding legitimate grounds for it to continue;
- if it has been unlawfully processed;
- if it needs to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services.
Right To Restrict Processing & Object
The GDPR gives any individual the right to restrict processing of their personal data.
When processing is restricted, we are permitted to store the personal data, but not further process it, and to also retain just enough information about you the to ensure that the restriction is respected in future.
We will be required to restrict the processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.
- When processing is unlawful and the individual opposes erasure and requests restriction instead.
- If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
Right To Object
DL Accounts Ltd acknowledges that individuals have the right to object and can put this request in writing. Individuals can object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Right of Data Portability
DL Accounts Ltd has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
Automated Decision Making and Profiling
This type of processing involves :
- making a decision solely by automated means without any human involvement) and
- profiling (automated processing of personal data to evaluate certain things about an individual
DL Accounts Ltd does not engage in either of these activities.
DL Accounts Ltd acknowledges all the rights of individuals included in the GDPR legislation, and these are set out fully in our GDPR Policy.
Decision makers sand key people in the business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
The business has effective processes to identify, report, manage and resolve any personal data breaches.
What is a Data Controller
A Data Controller is someone who is responsible for your data and who must make sure that your data is processed according to the law. For example, they are responsible for making sure that information held about you is accurate and that it is kept secure.
The Directors and staff of DL Accounts Ltd are Data Controllers and Data Processors in common.
This means that all persons in the business are responsible for data when they use it to provide a service to a client or a third party.
How Can I Obtain the Information DL Accounts Holds?
DL Accounts Ltd tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998 and under the new GDPR starting in May 2018.
If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to DL Accounts Ltd for any personal information we may hold, an individual needs to make a request verbally, or put the request in writing addressing it to Mr Dexter Lawrence, at the following address :
DL Accounts Ltd, Burton House, Trinity Street, St Austell, Cornwall, PL25 5LS.
However, if you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, by contacting DL Accounts Ltd.
We will respond to your request within 1 month, and we do not usually charge you for processing this request.
Can I Withhold My Consent?
You can withhold your consent at any time, however, DL Accounts Ltd will not be able to advise you or provide you with the designated service if you choose to do so.
We only collect, store, process and share data required to fulfil services and legal obligations, and data is never kept for longer than necessary.
We have to hold the details of the people who have requested our services in order to provide it. However, we only use these details to provide the service the person has requested or to fulfil a legal obligation, for example (but not limited to) the production of accounts and submission of a tax return, Companies House submissions, or processing of Payroll.
We may also use the details for other closely related purposes. For example (but not limited to) providing information on a client’s behalf to finance or mortgage providers, or as part of submitting submit contribution information to a designated pension provider.
Does DL Accounts Ltd Transfer Data Internationally?
DL Accounts Ltd has its offices in the UK. The ICO is therefore DL Accounts Ltd’s regulatory authority.
DL Accounts Ltd does not operate in more than one EU Member State and does not engage in cross border processing.
- Visitors to our website and other social media including Facebook, Instagram and Twitter;
- Telephone Calls; and
Visitors to our Website
When someone visits www.dlaccounts.co.ukwe use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.
We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.
We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. However, if we do want to collect personally identifiable information through our website, we will be up front about this.
We will make it clear when we collect personal information and will explain what we intend to do with it.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
Cookies are small text files that are placed on your computer when you visit our website.
They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site, ie: DL Accounts Ltd.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org
We use a third party service, WordPress.com, to publish our website.
These sites are hosted by GoDaddy.com, which is run by Hi Yield Ltd. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please refer to Automattic’s Privacy Notice.
If you send us a private message via Face Book the message can be stored by Facebook indefinitely, however, we will inly keep this message for as long as necessary, for example, if you request an appointment then we will delete the message once that appointment has taken place. We will never share the message with any other organisations.
When you call the office or our designated mobile phone number, we use CLI – Calling Line which allows us to see the caller’s number.
You can amend the settings of your telephone to stop this from happening if you should prefer.
We use Microsoft Outlook as our chosen email provider, which always uses HTTPS (Hypertext Transfer Protocol Secure) to protect information that is sent over the internet, and provides extra security when we read or write an email. HTTPS also helps keep our email accounts safe from hackers especially when we use wireless connections.
In addition, Microsoft Outlook never scans emails and attachments in order to sell this information to advertisers or any other company.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
We keep our privacy notice under regular review and update it as necessary to ensure compliance with new regulations.