The General Data Protection Regulations (GDPR)
The General Data Protection Regulations (GDPR) are effective from 25th May 2018. The concepts and principles build upon the Data Protection Act, with some new elements and significant enhancements in terms of the protection of personal data.
As a business we are dedicated to ensuring that we are 100% compliant with GDPR and meet the requirements for transparency, accountability and the protection of individuals’ rights. We are committed to ongoing assessment in the key areas that we believe are necessary.
Our aim is to adopt a privacy by design approach. This ensures that both our customers, as well as those on whom we may hold personal data, are confident that we are adopting best practice.
GDPR Compliance Charter
Our GDPR compliance charter means that you can be confident that we have and will:
Make our staff and contractors aware of GDPR and ensure they understand what it means
• Ensure our policies and procedures are clear and effective, meaning data is kept securely and used only for appropriate purposes
• Document what data we hold; reviewing regularly where it came from, why we hold it, what the lawful basis is for holding it and what we do with it
• Check our procedures, to make certain we deal with personal data in line with all legal requirements
• Identify the lawful basis that we have for holding and processing personal data
• Allow anyone on whom we hold personal data, to make a subject access request to find out what personal data we hold on them
• Review how we obtain individuals’ consent to hold their personal data, and offer the right to withdraw that consent if they wish to
• Undertake data audits, including Privacy Impact Assessments, on a regular basis
• Develop methods to identify any potential or actual data breaches, informing the relevant parties if this happens
• Register with ICO and appoint someone with designated responsibility for data protection
In turn, we expect our customers and suppliers to operate in the same manner, ensuring that we all take the steps recommended by the Information Commissioners Office.
What and who is this notice for?
This notice is intended to provide you with important information about how we process your personal data. This includes details of what personal data we hold, how we store it, what we do with it, why we hold it and how long we hold it for.
The below ‘summary information’ section provides a general summary about what we do with your personal data.
In order to provide you with the services detailed in our letter of engagement, Happy Fins must hold and process personal data. We use this information to; Conduct Customer Due Diligence (C.D.D) checks we are obliged to conduct under law; meet our obligations detailed under our letter of engagement; and, provide you with any additional services we may agree with you to provide.
We hold your personal data on encrypted cloud-based software, as spreadsheets stored in the cloud and in some instances, as physical printouts stored in locked filing cabinets.
Data Protection Policy
You should read this privacy notice in connection with Happy Fins data protection policy.
A copy of our data protection policy can be requested at any time from us.
Data Controller’s and Data Protection Officer’s Details
Data Controller: Stephanie Pettitt
Incorporated in England under Company Number: 06590608
Data Protection Officer: Stephanie Pettitt
How to contact us with any questions
If you would like to contact us, please use the below methods. Please note that our office closes on weekends and English bank holidays. We normally close the office over the Christmas period, including some normal working days, please contact us for more information. If your contact relates to exercising your rights under data protection legislation it will help us if you make your communication in writing (either by post or email).
Telephone: 01202 069611
Post: A10 Arena Business Centre, Holyrood Close, Poole. Dorset BH17 7FJ
Under data protection legislation you have eight main rights relating to your personal data:
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision making including profiling
For more information on your rights and how we uphold your rights, please visit the Information Commissioner’s Office’s website (www.ico.org.uk) and review our data protection policy, which can be accessed from the relevant sections of our website or can be provided on request.
If at any time you would like to exercise one of your rights under data protection legislation, please contact us. We recommend that you consult our data protection policy before contacting us.
If you would like to make a complaint about Happy Fins handling of personal data and how we have met our obligations under data protection legislation you can contact the Information Commissioner’s Office (www.ico.org.uk). Though we would always encourage you to contact us in the first instance so that we can attempt to resolve your complaint.
Contact and Communication
If you provide personal information it is kept private and stored securely until a such time it is no longer required or has no use, as detailed in the General Data Protection Regulations (GDPR) 2018. Personal data that you provide will only be used for purposes for which we believe there is a lawful basis.
What how and when is personal data collected?
During initial engagement, the course of our business relationship, when obliged under the Money Laundering Regulations 2017 regulations, or when your circumstances or business change we collect personal data such as name, address, postcode, date of birth, telephone number, email address, NI Number and UTR number, as well as government authority issued identification documents to identify you as an individual and as a business.
Why we collect your data and on what basis?
The data we hold or process about you enables us to fulfil either a legitimate interest, the legal obligations 27 to 19 of the MLR 2017 regulations and / or through our contractual obligation to you. We also use your personal data to remind you when to pay your taxes, inform you about our services and / or to pass on important, relevant taxation updates and announcements.
How and where is the data stored and who has access?
Your data is stored on secure, encrypted, third party cloud software programmes, as spreadsheets stored in the cloud and in some instances, as physical printouts stored in locked filing cabinets. Access is given to HMRC, Companies House and to the employees and subcontractors of Happy Fins.
Access to information
In accordance with the General Data Protection Regulations, you have the right to access any information that we hold relating to you. This is commonly referred to as a ‘subject access’ request. Please note that in most circumstances Happy Fins reserve the right to charge a reasonable fee of £10 to cover the costs incurred by us in providing you with the information.
Right to withdraw
You have the right to withdraw your personal data at any time that you wish to do so. If you decide that you no longer wish us to hold your personal data, then please contact our Happy Fins with your request.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Your details are not passed on to any third parties, except in the circumstances detailed below:
• To provide subcontractors with data they require to ensure the delivery of service. Should we supply your data to a subcontractor we will seek to ensure they are / have a nominated data controller.
• Any other data controller will ensure that your personal data is only used for the purposes of delivering products or services, and not for marketing purposes.
• Where we are legally required by law to disclose your personal information
• To further fraud protection and reduce the risk of fraud
• In the event that we sell any or all of our business to the buyer
Details of Third Parties Data is Transmitted to, Reason & Safeguards
Data is transmitted to HMRC and Companies House for which legal and contractual obligations are in place and to subcontractors for the purpose of delivering contractual services only. Verification, passcodes and / or encryption is used in these transmissions to keep your data safe.
Details of Third Party Countries Data is Transmitted to & Safeguards in Place
Happy Fins may occasionally need to transfer your data to third parties who are located outside of the EEA. This may include organisations who provide system specific software used to enable our accountancy services. In these situations, your personal data will only be transferred to a country or territory outside the EEA, once we have checked that the country or territory has in place an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Contacting Stephanie Pettitt Regarding this Policy – If you need to contact Happy Fins regarding this policy, please email: email@example.com Alternatively you can write to Happy Fins registered office address. Complaints – Should you feel that you wish to escalate a complaint then you should contact the Information Commissioners Office, details below: www.ico.org.uk Telephone: 01202 069611
Data Protection Policy
Happy Fins takes its responsibilities under data protection legislation extremely seriously. Breach of our data protection responsibilities can result in significant financial and reputational damage. We therefore endeavour to implement practices which ensure that we are constantly upholding our responsibilities under data protection legislation and allow us to meet our clients’ expectations in terms of privacy.
General Data Protection Regulations 2018
The primary legislation in the United Kingdom governing data protection is the General Data Protection Regulations 2018. The legislation covers the storing and use of personal data. Personal data means any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier.
The five principles established under this legislation, require personal data to be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest shall not be considered to be incompatible with the initial purposes
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of individuals; and
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Privacy Notices (Right to be Informed)
We maintain a privacy notice which all clients have been provided a copy of. This notice details important information relating to why and how data is processed. In particular our privacy notice contains details of; the identity and contact details of the controller and the data protection officer; what data is being collected; why the data is being processed and the lawful bases for the processing; who has access to the data; where the data will be stored; who the data will be transferred to, including details of any third country and applicable safeguards; where the data has been obtained, if Happy Fins has not collected the data directly; how any automated decision has been made; the individual’s rights.
Subject Access Requests (Right of Access)
All individuals have a right to obtain; confirmation that their data is being processed; access to their personal data; and, other supplementary information (which can largely be found in the applicable privacy notice(s)). Any individual wishing to obtain any of these should contact us using details provided in the ‘Contacting the Happy Fins Regarding this Policy’ section of this document.
All subject access requests will be completed free of charge unless the request is manifestly unfounded or excessive. If the request is deemed by us to be manifestly unfounded or excessive, the individual will receive a written explanation as to why and details of costs associated with fulfilling the request. The fee charged will be based upon; administration time costs; postage costs; printing costs; and, any other delivery cost.
In exceptional circumstances we may refuse an access request. An access request will only be refused if it is manifestly unfounded or excessive. If the request is deemed by us to be manifestly unfounded or excessive, the individual will receive a written explanation as to why and a statement that the request cannot be processed.
Inaccurate or Incorrect Data (Right to Rectification)
Happy Fins aims to ensure that all data it holds is accurate and correct. However, from time to time, this aim may not be met. All individuals have a right for inaccurate or incorrect data to be corrected or rectified. Any individual wishing to have their data corrected should contact us using details provided in the ‘Contacting the Happy Fins Regarding this Policy’ section of this policy.
Where data has been transferred to a third party and subsequently it has been rectified, we will notify the third party without delay of the rectification.
In some instances, we may not take action to a right to rectification request (for example, if it is believed that the request has malicious intent or is inaccurate). If no action is to be taken, a written explanation will be provided to the individual who made the request.
Request to Delete Data (Right to Erasure)
Happy Fins aims to retain data for only as long as it is needed. However, from time to time, this aim may not be met, or a valid reason as to why the data no longer needs to be retained maybe presented which had not been considered by us. All individuals have a right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Any individual wishing to have their data erased should contact Happy Fins using details provided in the ‘Contacting Happy Fins Regarding this Policy’ section of this policy.
In limited circumstances we will not be able to comply with a request to delete or remove data. This will normally be because the data is being used to; comply with a legal obligation for the performance of a public interest task or in exercising official authority; or, to exercise or defend legal claims. If no action is to be taken, a written explanation will be provided to the individual who made the request.
Request to Suppress Processing of Data (Right to Restrict Processing)
Restricting processing means Happy Fins will continue to store the personal data but will not ‘use’ the data or transfer it to third parties.
We will restrict processing; if you contest the accuracy of the personal data we hold, the restriction will apply until such a time as we have verified the accuracy of the data; if you have objected to the processing and we are considering if we have legitimate grounds not to act on your objection; if the processing we are conducting is found to be unlawful, but you oppose erasure; if we no longer require the data, but you require the data to establish, exercise or defend a legal claim. Any individual wishing to restrict processing of personal data should contact Happy Fins using details provided in the ‘Contacting Happy Fins Regarding this Policy’ section of this policy.
If data has been passed to third parties, we will inform them of any restriction to processing as soon as possible.
We may have to retain certain personal data, either for a defined period of time or indefinitely, to ensure that a restriction on processing is enforced. This will always be explained in writing to the relevant individual.
Reusing Personal Data (Right to Data Portability)
Personal data can, on the request of the individual, be transmitted to other organisations, or, provided to the individual in a format which they can reuse. All individuals have a right to obtain and reuse their personal data across different services. Any individual wishing to reuse their personal data should contact Happy Fins using details provided in the ‘Contacting Happy Fins Regarding this Policy’ section of this policy.
Before providing data, we will take reasonable steps to ensure that the individual making the request has a right to the data they are asking for. This may include providing a copy of government issued ID.
Data provided as part of the right to data portability will always be provided in a structured, commonly used and machine-readable format, normally a CSV file.
Happy Fins welcomes information which clients have transferred from other organisations. All reasonable measures will be taken to facilitate the right to data portability.
In some cases, where the request is complex, or we have received a number of requests, we may require an additional two months to comply with a request to be processed. If this is the case a written explanation will always be provided to the individual concerned within one month of receiving a request.
Objections to Data Processing (Right to Object)
If Happy Fins is processing data based on legitimate interests, for direct marketing or for statistical purposes individuals have the right to object. To object the individual must have grounds relating to your situation.
If the objection relates to Happy Fins using an individual’s personal data for direct marketing purposes, then we will cease to process the data immediately.
Any objections should be made using the details provided in the ‘Contacting the Association Regarding this Policy’ section of this document.
Training and Communication
A copy of this policy is given to all employees, subcontractors, trainees and other official agents of Happy Fins. In some cases, as an additional control, some employees, subcontractors, trainees and other official agents may be required to sign a copy of this policy.
All employees, contractors, trainees and other official agents will be given training on this policy before being given access to personal data or being involved in a role related to the processing of personal data. All contractors, apprentices, trainees and other official agents will receive regular training on this policy. This will be documented in a C.P.D log.
Significant breaches of this policy can result in disciplinary action.
Happy Fins will ensure that they monitor the use and processing of data and will seek to identify any data breach as soon as is practicably possible.
Any such data breach will be reported as appropriate.
Where it is necessary to transfer personal data to relevant third parties, this will be considered carefully before any such transfer takes place.
Happy Fins anticipate that the requirements for third parties will cover:
• Outsourced services relating to the processing of customers’ employee personal data including pension and payroll services
• Services relating to customers which will include processing personal data and payment details
• Services provided by third parties to undertake the services that constitute the service provision from Happy Fins, such as cloud-based accountancy services
Where third parties are involved, Happy Fins will ensure that they are committed to the key principles of data protection and will seek to establish this on a contractual basis, where possible. This will also be the case when data is transferred internationally and outside of the European Economic Area.
Happy Fins will seek to ensure that any personal data transferred to a third party, is deleted as soon as it is no longer required.
Ultimate responsibility for this policy rests with the principles of Happy Fins. Day to day responsibility for this policy is held by Stephanie Pettitt, Managing Director who is deemed the Data Protection Officer and can be contacted on Tel: 01202 069611.
Monitoring and Review
This policy is kept under constant review to ensure its suitability, adequacy and effectiveness. Any improvements identified will be made as soon as possible.
Comments from employees, contactors, officials, clients and regulators are welcome and will be taken into consideration.
Contacting Happy Fins Regarding this Policy
If you need to contact Happy Fins regarding this policy please email: firstname.lastname@example.org
Alternative you can write to Happy Fins registered office.
Should you feel that you wish to escalate a complaint then you should contact the Information Commissioners Office: www.ico.org.uk Telephone 0303 123 1113
This notice is designed to help you understand what cookies are, how we use them and the choices you have with regards their use.
Website Contact Form
Every effort has been made to ensure the safe and secure transfer of personal data provided and sent through our ‘Contact Us’ web-form but we advise users using such a form that they do so at their own risk. The personal data that you provide will only be used for purposes for which we believe there is a lawful basis.
What are Cookies?
Cookies are small text files that are stored on your browser or the hard drive of your computer or other device when you visit a site. This allows the website to recognise you as a user either for the duration of your visit (known as a ‘session cookie’) or for repeat visits (‘persistent cookie’). They are not harmful and do not contain any personal information.
The cookies used on our website fall into four broad types:
Strictly Necessary Cookies
These cookies are essential in helping you to move around our website. These cookies do not gather information about you that could be used for marketing.
Targeted Marketing Cookies
These cookies allow websites and applications to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. The information these cookies collect is usually anonymous which means we can’t identify you personally. They do not gather any information about you that could be used for advertising or remembering where you’ve been on the internet but help to personalise marketing.
Analytical / Performance Cookies
To keep the website relevant, up to date and easy to use we use analytics to help us understand how people use our website. For example, we can see which parts of our website are most popular, identify errors and test different pages to see what works well.
• To personalise and improve your customer experience.
• To record the areas of the website you visited, and the time spent browsing.
• We use this information to help make the website more user friendly and develop the site.
• To offer the ability to share our website pages on social media sites.
• By using these features, you are consenting to allow cookies from these providers.
Can I turn off cookies?
Yes. To change your cookie settings, or if you want to be notified each time a cookie is about to be used, you should amend the settings in your web browser to prevent us from storing cookies on your hard drive.
For information on how to disable cookies, consult the “help” tab of your browser via the menu bar.
The following Cookies are used for analytical and targeting purposes.
• Google Analytics
This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies to all UK national laws and requirements for user privacy. Users contacting this website and/or it’s owners do so at their own discretion and provide any such personal details requested at their own risk.
This Cookie Notice was updated on 17th May 2018, and further changes will be communicated by updating this notice.
If you would like more information on Cookies and how to opt-out, please visit www.youronlinechoices.com/
Website visitors who don’t want their data used by Google Analytics can install the Google Analytics opt-out browser add-on. To opt-out of Analytics for the web, visit the Google Analytics opt-out page and install the add-on for your browser.