This Privacy Notice explains what information Treasury Accounting Limited gather about you, what we use that information for and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries.
We take data protection very seriously and we are committed to protecting your personal information. This Privacy Notice describes how we handle personal information collected through www.treasuryaccounting.co.uk, phone, e-mail and by any other means.
It is our policy to collect only the minimum information we require from you. If you believe we hold more information about you than is required, or if you have any queries about how we handle your personal data, please contact our Data Protection Officer.
In this Privacy Notice your personal information is sometimes called “personal data”. Personal data is information that can be used to identify a living individual, such as name, address, phone number or e-mail address. It includes information you provide when you contract or, intend to contract, with us to provide a product or service, subscribe to our services, search for a service, participate in other social media functions on our site. You might also give us personal data when you participate in meetings, seminars or other events we arrange. The information you give us may include, for example, your name, address, e-mail address, phone number and financial information. Personal data also includes information about your health and other ‘sensitive personal data’. We ask that you do not provide us with ‘special category personal information’ unless we have specifically requested it. ‘Sensitive personal data’ and ‘special category personal information’ are as defined by data protection legislation.
In this Privacy Notice we sometimes collectively refer to handling, collecting, protecting or storing your personal information as ’processing’.
Although you do not have to provide any of your personal information to us, if we ask you to do so and you refuse, we may be unable to provide you with the information or services you want from us.
If you have any questions about this Privacy Notice or the way your personal information is processed by us, or would like to exercise one of your rights explained within, please contact the Data Protection Officer, by one of the following means:
Post: Andrew Sainsbury, Treasury Accounting Ltd, The Old Treasury, 7 Kings Road, Portsmouth, Hampshire PO5 4DJ.
Treasury Accounting Limited takes the security of, and our legal responsibilities around, your personal data very seriously. The following information applies to those who receive services from us or who are seeking to do so.
Types of Personal Data Processed
The types of personal data processed will vary depending on the data you require us to process in order to deliver to you the requested services and in accordance with our engagement terms with you (as specified within the Letter of Engagement). You may ask us to process both ‘personal data’ as defined in Article 4(1) of the EU General Data Protection Regulation (‘GDPR’) and or ‘Special category Personal Data’ as defined in Article 9(1) GDPR.
Categories of Data Subjects
Personal data we process for our own purposes and on your behalf may include, but may not be limited to, client data, staff data, contractor data and supplier data.
Categories of data subjects will, for so far as we act as a data processor, be determined by you and as contemplated by our engagement terms with you. Normally, we will only require limited aspects of your staff data for our own purposes and will advise you should it become necessary for us to process any other categories for our own purposes.
Legal Basis for Data Processing
Generally, it will be your responsibility as the Data Controller to ensure you provide us with data for processing activities for which you have identified a legal basis for such processing. We will not accept responsibility for your providing us data without a legal basis for doing so.
Where we require personal data from you for our own purposes, we do so on the following legal bases as defined under GDPR:
• Contract entry and performance: To provide our services to you in performing our contractual obligations to you in accordance with our Letter of Engagement. In order to commence working with you as a client we are legally required to take certain steps, such as assuring ourselves of your identity. In order to do so we require some personal data from you. During the course of our engagement with you we are required to continue processing personal data about you to enable us to deliver the services to you.
• Our legitimate interests: To develop our businesses and services by the effective delivery of information and services to you in the lawful operation of our business (provided these do not interfere with your rights). We may also use your personal data on the basis of our own legitimate interests in promoting our services and developing our services and assessing our performance. Activities promoting our services include business to business marketing which you may opt-out of at any time. Opt-out can be achieved by using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer.
• Legal obligations: To conduct quality and risk management procedures in satisfying any legal and regulatory obligations to which we are subject. As a firm of Chartered Accountants certain statutory obligations apply to us which require us to process personal data and in some circumstances to provide it to third parties such as law enforcement authorities. Where such obligations arise we will, insofar as is possible without breaching any other duty we owe to those authorities, advise you of our intention to process your data for their purposes.
• Where we have your consent to do so: For any other purposes for which you provided the information to us and where there is no other condition for processing available, if you have agree to us processing your personal information.
We will process personal data on your behalf for so long as you instruct us to do so. At the cessation of our processing activities on your behalf it is your choice as to what happens to the personal data you have provided to us. We will work with you to carry out your reasonable instructions.
Personal data we collect for our own purposes will be managed in accordance with our Data Retention Policy which will reflect our legal obligations.
Use of sub-processors
As part of our service delivery it is necessary for us to use sub-processors.
Our IT is largely provided by parties external to Treasury Accounting Limited. Some solutions we utilise are cloud based and our need to rely upon those systems varies depending upon the services we deliver to you.
All sub-processors are bound by contracts with Treasury Accounting Limited to provide at least the same level of protection for your data as we do.
Most sub-processors do not engage directly with your data and simply provide secure storage solutions for the data we process. Unless we have otherwise expressly agreed conditions with them, sub-processors are prohibited from using your personal data for their own purposes.
Treasury Accounting Limited utilise a number of suppliers to provide us with IT and other associated services for the delivery of our business and services to you. In many cases, the suppliers we use will be granted access to the data we are processing in order to provide us with technical assistance. Such processing activities are not directly related to our principal services to you and are considered ancillary to our own internal activities.
By asking us to act as a Data Processor on your behalf you permit us to use EU standard contractual clause agreements with our chosen sub-processors and sub-contractors on your behalf. All such agreements will be in our name and you may enforce rights against the sub-processor(s) directly though us.
Treasury Accounting Limited has put technological and organisational controls, including policies and procedures, in place to protect your personally identifiable information from loss, misuse, alteration or unintentional destruction. Only authorised persons are provided access to personally identifiable information we have collected and all such individuals have received appropriate training and have agreed to maintain the confidentiality of this information. Conditions to protect data to at least the same standard as we do are cascaded to all our sub-contractors, sub-processors and suppliers.
We carry out regular monitoring of our security defences to ensure they continue to be effective against the latest threats.
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your network it is your responsibility to ensure it remains secure.
Data Retention Policies
We will retain your personal information only for as long as we need it, given the purposes for which it was collected, or as required to do so by law. The timescales for the retention of personal data for the different activities we undertake are governed by various legislation. The most common retention period is 7 years.
Your Data Subject Rights
Where we act as a Data Controller for your data you may exercise a number of rights.
• Request access to the personal data we hold about you.
• Ask us to correct any data which is inaccurate.
• Request to have your personal data deleted.
• Put in place restrictions on our processing of your data.
• Ask us to transfer your data to another controller (data portability).
We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any national laws at the time of your request. Should you need to exercise any of your data subject rights please set out your request in writing to our Data Protection Officer.
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter for you, you may take your complaint to the information Commissioner’s Officer. Further details can be found via their website at www.ico.org.uk
Should we receive a request from one of your staff, clients, customer, contractors or prospects to exercise data subject rights, but we are only acting as a Data Processor, we will forward your request to you as Data Controller to process. Unless you explicitly instruct us not to we will advise the data subject that we have passed their request to you.
Targeted e-mails from us may include additional data privacy information as required by applicable privacy laws.
Changes to this Statement
We recommend you check this statement on a regular basis to ensure you remain in agreement with the activities we carry out in respect of processing personal data.
Should we make significant changes to the way we process data, we will draw your attention to the relevant part(s) of this statement through e-mail and or other appropriate communications as part of our engagement activities with you.
18 September 2018