Privacy Notice

The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data. Virtue Accounting Ltd is a data controller within the meaning of the GDPR and we process personal data. We have appointed a data protection officer (DPO) to oversee compliance, and should you have any questions for the DPO about this privacy notice, or how we handle personal information, please email dataprotection@virtuegroup.co.uk.

We may amend this privacy notice from time to time and will make the amended privacy notice available on our website.

Where we act as a data processor on behalf of a data controller (for example, when processing payroll), we can provide an additional schedule setting out required information as part of that agreement. That additional schedule should be read in conjunction with this privacy notice.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We will collect, store, and use the following categories of personal information about you in order to identify you and facilitate the provision of our services to you. In order to do this, we will need to process the following personal data:

• full Name & title
• residential address
• previous addresses
• date of birth
• bank details
• personal income and tax details
• UTR number
• NI number
• nationality
• tax codes
• email address
• home, mobile and work telephone numbers
• mother’s maiden name
• eye colour
• birth town

We may also collect and store more sensitive personal information in order to better fulfil our contract (for example advising on entitlement to benefits, etc):

• information about your health, including any medical condition, health and sickness records from any Sick Note, Fit Note or other note or records provided.
• information about criminal convictions and offences which you may inform us about.

We obtain personal data about you, for example, when:

• we receive a new enquiry in respect of the services we may provide.
• you, your employer or our clients, engages us to provide our services. Also, during the provision of those services, when we are contact by email, telephone, post or social media (for example, when you have a question or wish to provide additional information to enable us to provide services).
• from third parties and/or publicly available resources (for example, from your employer or from Companies House).

We intend to process personal data for the following purposes:

• to enable us to supply professional services to you as our client.
• to fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).
• to comply with professional obligations to which we are subject as a member of the Association of Chartered Certified Accountants (ACCA)
• to use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.
• to enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen
• to contact you about other services we provide which may be of interest to you if you have consented to us doing so.

Our intended processing of personal data has the following legal basis:

• At the time you instructed us to act, you gave consent to our processing your personal data for specific purposes, including the provision of services to you.
• The processing is necessary for the performance of our contract with you.
• The processing is necessary for compliance with legal obligations to which we are subject (e.g. MLR 2017).
• The processing is necessary for the purposes of legitimate interests we pursue.

It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.

We may share your personal data with:

• an alternate appointed by us in the event of incapacity or death
• banking partners, to provide banking services to client businesses through integration with accounting software.
• subcontractors
• any third parties with whom you require or permit us to correspond
• HMRC
• tax insurance providers
• professional indemnity insurers
• our professional body, ACCA, and/or the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS) in relation to practice assurance and/or the requirements of MLR 2017 (or any similar legislation)

If the law allows or requires us to do so, we may share your personal data with:

• the police and law enforcement agencies
• courts and tribunals
• the Information Commissioner’s Office (“ICO”)

We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties we may need to cease to act.

We will share your personal data with other third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so.

“Third parties” includes third-party service providers and other entities within our group. The following activities are carried out by third-party service providers: IT and cloud services, professional advisory services, administration services, business formation services, marketing services and banking services.

All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with the law.

We intend to retain your data within the UK wherever practical; however, we may transfer the personal data we collect about you to countries outside of the EEA.

Where data is transferred outside of the EEA, and there is an adequacy decision by the European Commission in relation to these countries, they will be deemed to provide an adequate level of protection for your personal information for the purpose of the Data Protection Legislation.

Where there is not an adequacy decision by the European Commission in relation to certain countries, and they will not be deemed to provide an adequate level of protection for your personal information for the purpose of the Data Protection Legislation, we have put in place measures to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the Data Protection Legislation, such as binding corporate rules or model contract clauses.

When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of our records relating to you as follows:

• where tax returns have been prepared it is our policy to retain information for 7 years from the end of the tax year to which the information relates.
• where ad hoc advisory work has been undertaken it is our policy to retain information for 5 years from the date the business relationship ceased.
• where we have an ongoing client relationship, data which is needed for more than one year’s tax compliance (e.g. capital gains base costs and claims and elections submitted to HMRC) is retained throughout the period of the relationship but will be deleted after the end of the business relationship in line with contractual term unless you as our client ask us to retain it for a longer period.

Our contractual terms provide for the destruction of documents after a specified number of years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.

You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us. Documents and records relevant to your tax affairs are required by law to be retained by you as follows:

• individuals, trustees and partnerships - with trading or rental income: five years and 10 months after the end of the tax year; otherwise: 22 months after the end of the tax year.
• companies, LLPs and other corporate entities - six years from the end of the accounting period.

Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller at the termination of the contract.

It is important that the personal data we hold about you is accurate and current, so please let us know should your personal information change.

Under certain circumstances, by law you have the right to:

• request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
• request correction of the personal data that we hold about you.
• request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
• object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.
• request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

If you wish to exercise any of the above rights, please email dataprotection@virtuegroup.co.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent, and please consider that:

• the withdrawal of consent does not affect the lawfulness of earlier processing.
• if you withdraw your consent, we may not be able to continue to provide services to you.
• even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data).

We do not intend to use automated decision-making in relation to your personal data.

If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints to dataprotection@virtuegroup.co.uk

If you are unhappy with our response, you have a right to lodge a complaint with the ICO (www.ico.org.uk).