Data Controller
The data controller is: Westcotts
26-28 Southernhay East, Exeter, EX1 1NS
Any reference to ‘Westcotts’ or the ‘Firm’ as Data Controller within this privacy notice also refers to the wider firm which includes ‘Westcotts (SW) LLP trading as Westcotts Chartered Accountants and Business Advisers’, ‘Westcotts Business Recovery and Insolvency LLP’, ‘Westcotts Financial Management Limited’ trading as ‘Westcott Chartered Financial Planners’ and ‘Westcotts Secretarial Limited’ (‘The Westcotts Entities’).
Data Protection Officer
To enquire about any aspect of this document or your associated data protection rights please contact Westcotts’ Data Protection Officer:
Mr P Tigwell
26-28 Southernhay East Exeter
Devon EX1 1NS
Email: patrick.tigwell@westcotts.uk
All initial contact should be in writing (by post or email).
General
Westcotts collects and processes personal data relating to its Clients to manage the client relationship. We are committed to being transparent about how we collect and use that data and to meet our data protection obligations.
Lawful reason for processing client personal data
The processing of personal data for and on behalf of existing clients will be carried out for the performance of the contractual arrangement as set out in our engagement letter and terms of business.
Westcotts may act as either the data Controller or Processor in accordance with GDPR. Unless the engagement letter makes it clear that Westcotts is the Processor, Westcotts is to be treated as the data Controller.
Categories of personal data collected by Westcotts
We collect and process a range of information about you. This includes:
- Domicile
- Address
- Email address
- Phone number
- VAT no.
- PAYE no.
- CIS no.
- NINO
- UTR
- Spouse details
- Children’s details
- Details of other professional advisors
- Bank/lender information
- Assets held (and associated info)
- Income details
- Will copy
- POA copy
- Copy ID
- Bank account details
- Direct debit mandates (held by internal accounts)
The information held will depend upon the type of engagement. Some special categories of personal data are processed to carry out the terms of our contract.
Where the firm acts as data processor in providing Payroll or CIS deduction services for the Controllers employees or sub-contractors we collect and process a range of information about them. This includes:
- Name
- DOB
- Address
- Email address
- NINO
- Bank account details
- Student loan details
- Coding notice
- Attachment of Earnings
The organisation may collect this information in a variety of ways. Most data will be supplied by the data subject (or the data controller in respect of engagements where the firm acts as data processor), representatives of the data subject or authorised third parties.
Intended recipients of the personal data
Data may be transferred between the Westcotts Entities to assist with the provision of services and advice to clients.
The engagement terms will make it clear where data must be supplied by Westcotts directly to third parties to include:
- HMRC
- Companies House
- The Pension’s Regulator
- DEFRA
- Banks
- Reference agencies
- Financial advisers
- Westcotts’ Insurers
- Auto Enrolment Pension Providers
- etc
Where Westcotts receives a request to submit data to a third party other than those specified by the engagement letter the consent of the data subject must be obtained before any data is released.
Legitimate interest of the controller
Whilst we may be primarily engaged by clients to carry out a specific task in accordance with the terms of the engagement there is an expectation that, alongside that specific task, we will be processing personal data more generally on an ongoing basis and to advise as necessary on other matters.
In addition to the primary purpose we are permitted to process personal data for direct marketing purposes in pursuing the legitimate interests of the Firm.
Processing of clients’ personal data for any purposes other than to complete the task set out within the engagement terms or direct marketing activities for anyone other than Westcotts is not permitted without obtaining the clients’ consent.
Retention period
The firm intends to hold all files indefinitely unless it deems certain files to not be of any ongoing interest in which case these may be destroyed.
In considering whether documents should be destroyed the DPO will consider, amongst other things, the legal retention period set out by statute and the firm’s professional indemnity insurance provisions.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the Firm during the engagement period. However, if you do not provide the information, the Firm may not be able to complete the process as set out within the engagement terms.
Use of Data Processors
- E-newsletters
As data controller we use a third party data processor, Campaign Master UK Ltd, to deliver our e- newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletters. For more information, please see Campaign Master’s privacy policy.
- Postal mail shots
As data controller from time to time we may use a third party data processor, Stormpress Ltd, to deliver circulations by post. Information is held by Stormpress Ltd for no longer than is necessary prior to being destroyed. For more information, please see Stormpress’s privacy policy.
- Self-service for employees of payroll clients of the firm
If a self-service system is run under these circumstances the firm will use third party software provided by Thesaurus Software Ltd t/as Brightpay. For more information, please see Brightpay’s privacy policy.
- Event organisation
As data controller from time to time we may use a third party data processor, Eventbright, to issue tickets for events. Information is held by Eventbrite, Inc., a Delaware corporation. Eventbrite, Inc. participates and complies with the EU-U.S. Privacy Shield Framework. In the event that payment is required for an event then this information is held and managed by Eventbrite Operations (IE) Ltd. For more information, please see Eventbrite’s privacy policy.
Information held by Eventbrite will be held within that platform for no longer than is necessary prior to being removed.
Information in respect of Event attendances may be held for a longer period outside of Eventbrite but again, this will be held for no longer than is necessary prior to being removed.
Your rights as data subject
Right of access – where Westcotts is processing or has processed your personal data you have rights as an individual to get a copy of the information that we hold about you. This is known as a subject access request.
For these to be managed effectively, subject access requests must be made in accordance with the guidance issued by the Information Commissioner’s Office (www.ico.org.uk/for-the-public/). All requests should be submitted to Westcotts’ Data Protection Officer.
Failure to submit a subject access request in this format may result in the request being rejected.
The right to rectification – you have the right to request rectification of your personal data where errors have been identified.
Any such request must be made verbally or in writing by post or via email to the Firm and a response will be issued within one month of receipt.
Please note that there may be instances where such requests cannot be fully satisfied and in such cases a full explanation will be provided within the response.
The right to erasure – you have the right to request erasure (also known as ‘the right to be forgotten’) of your personal data.
Any such request must be made verbally or in writing by post or via email to the Data Protection Officer and a response will be issued within one month of receipt.
Please note that there may be instances where such requests cannot be fully satisfied and in such cases a full explanation will be provided within the response.
Right to restriction of processing – you have the right to obtain from us a restriction of processing where one of the following applies:
a) The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data.
b) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead.
c) We no longer need the personal data for the purposes of processing, but you require us to retain the data for the establishment, exercise or defence of legal claims.
d) An objection to the processing of personal data has been raised by you, for a period enabling us to consider whether your rights are overridden by our legitimate reasons to retain the data.
Right to data portability – where it is practicable to do so we will provide an active secure self-service system to provide your personal data held by us.
Where it is not practicable to provide an active self-service system, upon receipt of a ‘right of access request’ information held will be made available via a secure self-service system and direct access will be granted to you.
Where possible the data will be provided in a suitable electronic format which complies with the GDPR guidelines on data portability. Where this is not possible this will be explained.
Please note that the right to obtain access to personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
The right to object – you have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Westcotts will adhere to the guidelines set by the Information Commissioner’s Office upon receipt of an objection. The objection can be made verbally or in writing to the firms marketing department or Data Protection Officer.
All processing will cease upon receipt of a relevant objection. The Data Protection Officer will issue a formal response to the objection within one month of receipt.
Automated decision making and profiling
The firm does not perform any tasks which rely solely on automated decision making or profiling.
Complaints or queries
Westcotts tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice has been drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Westcotts’ collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address above.
If you want to make a complaint about the way we have processed your personal information, in the first instance please contact the Data Protection Officer. If the Data Protection Officer is unable to satisfactorily deal with your complaint, or you are not satisfied with our response or believe our processing of your personal data is not in accordance with the law you can complain to the Information Commissioner.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.