This is the privacy notice of Noakes Accounting Limited. In this document, “we”, “our”, or “us” refers to Noakes Accounting Limited.
The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose legal obligations in connection with the processing of personal data.
Noakes Accounting Limited is an accountancy firm. We are registered in England & Wales under registration number 09934096, with our registered office being 66 South Street, Taunton, TA1 3AF. We are a data controller within the meaning of the GDPR and we process personal data.
This privacy notice aims to inform clients about how we collect and process any information that we collect from them, or that they provide to us. It covers information that could identify them (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information. It tells clients about their privacy rights and how the law protects them.
If, as a visitor to this website, a person chooses to submit information, they agree to the use of such data in accordance with the terms set out in this privacy statement. Please note that this site contains links to other sites, including sites maintained by other organisations which may not be governed by this privacy statement.
Data Protection Officer
Due to the nature of our organisation and due to the nature of the data that we are processing, we are not required to appoint a formal Data Protection Officer. We have however appointed Robert Noakes to be the person responsible for data protection within the firm. Clients should contact him in writing at the firm’s Registered Office.
Types of information that we may collect
For individuals, we collect the client’s full name and title, marital status, gender, home address, date of birth, National Insurance number, Unique Taxpayers Reference, email addresses, mobile and home telephone numbers.
For businesses, incorporated or otherwise, which may also include individuals, we collect the business name and address, business and mobile telephone numbers, email address, Government Gateway username and passwords and, at times, HMRC shared secrets , VAT registration number and quarter dates, PAYE reference and PAYE accounts office reference, and the business accounts year end.
We collect for each individual and business client their main banker and related account number and sort code.
For incorporated businesses, we also collect their Registered Office address, date of incorporation, Companies House number and Companies House authentication code.
We collect details of each client’s banker and associated account number and sort code so that we can direct repayments due to them from HMRC or any other party that clients ask us to. We may use bank details on paper or online forms to register for services e.g. with HMRC.
At times we may use client bank details to set up Direct Debits through the HMRC Gateway to pay agreed tax liabilities on behalf of clients. We will never use client bank details to try to take any money from their account. The only exception to this is if clients give us express permission and also provide any logon details to their bank.
Clients may object to us collecting certain data about them. The consequence of such objections of not providing information is that we may not be able to undertake the services that we have contracted to provide to these clients.
We collect other information about our clients e.g. the source of the introduction, the date they became a client and the date of our engagement letter.
How we may collect information
Clients provide most of their data directly to us when they become a client. This can be in paper or electronic format e.g. emailing personal data to us. Please be aware that the transmission of information via the internet is rarely completely secure.
Not all of the personal information we hold about clients will always come directly from them. Some data is provided to us about clients from third parties e.g. HMRC, Companies House or other accountants e.g. when they provide professional clearance and transfer of information on change of appointment. Some data is available and collected from publicly accessible sources e.g. Companies House, though this is normally also provided directly by clients.
We will also collect, use, disclose and store personal data about the employees of some of our clients’ businesses e.g. if we run a payroll for that client. In this case, for example, personal data about employees will generally be provided by the employer to us.
Why we may collect information
We collect, use, disclose and store personal and business data about our clients in order to operate our business, manage client accounts, invoice for our services and to provide our services to clients. We do this for any client that has requested services from us and where we have agreed to provide such services in our engagement letters, quotes, correspondence or verbal agreements. We only collect data about our clients that we actually need and only for the above purposes.
For contractual reasons, clients must provide us with certain personal data that we request. If they do not provide it we may not be able to provide our professional services. If this is the case, we will not be able to commence acting or will need to cease to act for a client.
How the information may be used
Client data is only used for the intended use for which it was collected. Client data is processed lawfully as a means to provide our services to our clients and any individual or businesses that we have previously agreed to provide our services to.
Where we wish to use client data other than for the purpose that it was collected for, we will ask for client consent, which the client has the right to withdraw at any time following consent being given. In most cases, we do not need to ask for specific consent from clients to use their data. This is because we aim to be transparent as to why we have collected and how we will use their data.
We rely on the lawful basis as to why we obtain and process client data and specific consent is therefore generally not required. Our lawful basis is that processing of data is necessary for the performance of a contract with a client or to take steps to enter into a contract or that processing is necessary for compliance with a legal obligation.
Data storage and security
Once client personal information has been received by us, all electronic client data is stored on our computer systems within our office, which are secured by password. We take all reasonable measures to keep them secure and prevent unauthorised access to them. We also backup all data on a regular basis to physical back-up devices which are stored in a safe on the business premises.
We maintain and store paper based client data within our office. Key paper documents are kept safe and secure in our office.
We will share information with third parties where we are required by law, or where we have another legitimate interest in doing so.
We do not share or pass client details to another organisations unless this is required as part of our contractual services. Any information that we do share with another organisation will be in a way that clients would expect of us and where we have client authority, either expressly given or implied through the context of the data shared e.g. provision of financial data about the client to a potential loan provider to the client.
We do not share client data with third parties for marketing purposes.
We retain personal information for as long as we reasonably require it for legal or business purposes. In determining data retention periods, we take into consideration laws, contractual obligations, and the expectations and requirements of our clients. When we no longer need personal information, we securely delete or destroy it.
Rights of access, correction, erasure, transfer, and restriction
Clients have the right to request access to their data, which will enable them to check that we are processing it lawfully. No fees will be charged to clients for allowing them to access their data except where the request for access is clearly unfounded or excessive.
Clients have the right to request corrections of any perceived inaccuracies in any data we may hold about them.
Clients have the right to object to the processing of their data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this basis.
Clients have the right to request the restriction of the processing of their data. This enables them to ask us to suspend the processing of personal data about them, for example if they want us to establish its accuracy or the reason for processing it.
Clients may have the right to request transfer of their personal data in a machine-readable format, either to themselves or to another data controller, if the processing is based on consent and carried out by automatic means.
Clients may have the right to request erasure of their personal data. However, this is not always possible due to legal requirements and other obligations and factors.
We may need to request specific information from the client in order to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights).
Clients should write to us at our Registered Office address regarding the data that we hold about them.
Transfers of data outside of the European Economic Area (EEA)
Personal information in the European Economic Area (EEA) is protected by data protection laws but other countries do not necessarily protect clients’ personal information in the same way.
We may transfer data we collect about clients to the United States, which is outside of the EEA, in order to perform our contracts with them. This may happen if the client uses cloud software, or we choose to do so in performing our contract with them. This is due to some cloud software providers holding their servers in the United States. We may also engage in other IT services, the providers of which may also hold their services outside of the EEA.
We take steps to ensure that appropriate measures and controls are in place to protect any data that is transferred outside of the EEA in accordance with applicable data protection laws and regulations.
By using our services, clients consent to the transfer of their data outside of the EEA in the circumstances set out in this privacy notice. If clients do not want their data to be transferred outside of the EEA, then they are unfortunately not able to use our services.
Changes to this notice
If we make any changes to this privacy notice in future, the most up to date version will be accessible on our website: https://www.noakes-accounting.co.uk/privacy
This privacy notice was last updated on 29 July 2018.
Any questions regarding this privacy notice and our privacy practices should be sent by e-mail to firstname.lastname@example.org or in writing to our Registered Office of 66 South Street, Taunton, TA1 3AF. If clients wish to change any of the consents that they have given to us in respect of their data, then they should email or write to us at our Registered Office.
Clients have the right to complain to the ICO if they think there is a problem with the way their data is being handled by us. The ICO’s contact details are as follows:
Information Commissioner’s Office
Telephone – 0303 123 1113 or 01625 545 745
Website – https://www.ico.org.uk/concerns