Policies

Terms and Conditions

 

Introduction

These terms and conditions set out the general terms under which we undertake our business. The specific conditions relating to particular assignments will be covered in separate letter of engagement.


Applicable law

This engagement letter, the schedule of services and our standard terms and conditions of business are governed by, and should be construed in accordance with, English law/. Each party agrees that the Courts of English law will have exclusive jurisdiction in relation to any claim, dispute or difference concerning this engagement letter and any matter arising from it. Each party irrevocably waives any right to object to any action being brought in those Courts, to claim that the action has been brought in an inappropriate forum, or to claim that those Courts do not have jurisdiction.


Authorization and registration

We are registered with the Association of Chartered Certified Accountants as chartered certified accountants and can be found on the register of members N. 0953103 at http://members.accaglobal.com/en/find-an-accountant.


Bribery Act 2010

In accordance with the requirements of the Bribery Act 2010 we have policies and procedures in place to prevent the business and its partners and staff from offering or receiving bribes.


Client monies

We may, from time to time, hold money on your behalf. Such money will be held in trust in a client bank account, which is segregated from the firm’s funds. The account will be operated, and all funds dealt with, in accordance with the Clients’ Monies Rules of the Association of Chartered Certified Accountants. These rules can be found on the ACCA website at http://www.accaglobal.com/en.html.


Communication

Unless you instruct us otherwise we may, where appropriate, communicate with you and with third parties via email or by other electronic means. The recipient is responsible for virus checking emails and any attachments.

With electronic communication there is a risk of non-receipt, delayed receipt, inadvertent misdirection or interception by third parties. We use virus-scanning software to reduce the risk of viruses and similar damaging items being transmitted through emails or electronic storage devices. However, electronic communication is not totally secure and we cannot be held responsible for damage or loss caused by viruses nor for communications which are corrupted or altered after despatch. Nor can we accept any liability for problems or accidental errors relating to this means of communication especially in relation to commercially sensitive material. These are risks you must bear in return for greater efficiency and lower costs. If you do not wish to accept these risks please let us know and we will communicate by paper mail, other than where electronic submission is mandatory.

Any communication by us with you sent through the post or courier system is deemed to arrive at your postal address two working days after the day that the document was sent.


Confidentiality

Communication between us is confidential and we shall take all reasonable steps to keep confidential your information except where we are required to disclose it by law, by regulatory bodies, by our insurers or as part of an external peer review. Unless we are authorised by you to disclose information on your behalf this undertaking will apply during and after this engagement.

We may, on occasions, subcontract work on your affairs to other tax or accounting professionals. The subcontractors will be bound by our client confidentiality terms.

We reserve the right, for the purpose of promotional activity, training or for other business purpose, to mention that you are a client. As stated above we will not disclose any confidential information.


Conflicts of interest

We will inform you if we become aware of any conflict of interest which could impact on our relationship with you. Where conflicts are identified which cannot be managed in a way that protects your interests then we regret that we may be unable to provide further services.

If there is a conflict of interest that is capable of being addressed successfully by the adoption of suitable safeguards to protect your interests then we will adopt those safeguards. Safeguards may include measures such as separate teams, physical separation of teams, and separate arrangements for storage of and access to information. Where possible this will be done on the basis of your informed consent.

We reserve the right to act for other clients whose interests are not the same as or are adverse to yours, subject of course to the obligations of confidentiality referred to above.


Consumer credit

If, during the provision of professional services to you, you need advice or services on areas from us that fall within Consumer Credit activity, we may have to refer you to someone who is authorised by the Financial Conduct Authority (FCA) as we are not authorised to undertake this activity.


Data Protection Act 1998

We confirm that we will comply with the provisions of the Data Protection Act 1998 when processing personal data about you and your family. In order to carry out the services of this engagement and for related purposes such as updating and enhancing our client records, analysis for management purposes and statutory returns, legal and regulatory compliance and crime prevention we may obtain, process, use and disclose personal data about you. You shall ensure that any disclosure of personal data to us complies with the DPA.

We shall use appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. We shall not sub-contract any processing of personal data unless the sub-contractor has agreed that the personal data continues to be subject to an appropriate level of protection. To the extent we act as data processor for you, we shall only process personal data in accordance with your instructions.

We shall answer your reasonable enquiries to enable you to monitor compliance with this clause.


Disengagement

Should we resign or be requested to resign a disengagement letter will normally be issued to ensure that our respective responsibilities are clear.
Should we have no contact with you for a period of 12 months or more we may issue a disengagement letter and hence cease to act.


Fees

Our fees may depend not only upon the time spent on your affairs but also on the level of skill and responsibility and the importance and value of the advice that we provide, as well as the level of risk.

If we provide you with an estimate of our fees for any specific work, then the estimate will not be contractually binding unless we explicitly state that that will be the case.

Where requested we may indicate a fixed fee for the provision of specific services or an indicative range of fees for a particular assignment. It is not our practice to identify fixed fees for more than a year ahead as such fee quotes need to be reviewed in the light of events. If it becomes apparent to us, due to unforeseen circumstances, that a fee quote is inadequate, we reserve the right to notify you of a revised figure or range and to seek your agreement thereto.

In some cases, you may be entitled to assistance with your professional fees, particularly in relation to any investigation into your tax affairs by HMRC. Assistance may be provided through insurance policies you hold or via membership of a professional or trade body. Other than where such assurance was arranged through us you will need to advise us of any such insurance cover that you have. You will remain liable for our fees regardless of whether all or part are liable to be paid by your insurers.

Our fees are exclusive of VAT which will be added where it is chargeable. Any disbursements we incur on your behalf and expenses incurred in the course of carrying out our work for you will be added to our invoices where appropriate.

Unless otherwise agreed to the contrary our fees do not include the costs of any third party, counsel or other professional fees.

It is our normal practice to ask clients to pay by monthly standing order and to periodically adjust the monthly payment by reference to actual billings.

If you do not accept that an invoiced fee is fair and reasonable you must notify us within 21 days of receipt, failing which you will be deemed to have accepted that payment is due.

In the case of a dispute over the level of fees charged we reserve the right to require that the matter is dealt with through arbitration. We recommend that arbitration is undertaken by the fee arbitration service provided by ACCA for members. The fee arbitrator will be appointed by the ACCA president; the fee will be as negotiated with the ACCA arbitrator.

Implementation

We will only assist with implementation of our advice if specifically instructed and agreed in writing.


Intellectual property rights

We will retain all copyright in any document prepared by us during the course of carrying out the engagement save where the law specifically provides otherwise.


Interpretation

If any provision of this engagement letter, schedules of services or standard terms and conditions is held to be void, then that provision will be deemed not to form part of this contract and the remainder of this agreement shall be interpreted as if such provision had never been inserted.

In the event of any conflict between these terms of business and the engagement letter or appendices, the relevant provision in the engagement letter or schedules will take precedence.


Internal disputes

If we become aware of a dispute between the parties who own or are in some way involved in the ownership and management of the business, it should be noted that our client is the business and we would not provide information or services to one party without the express knowledge and permission of all parties. Unless otherwise agreed by all parties we will continue to supply information to the attention of the directors. If conflicting advice, information or instructions are received from different directors in the business we will refer the matter back to the directors and take no further action until the directors has agreed the action to be taken.


Investment services

Investment business is regulated under the Financial Services and Markets Act 2000 and the Financial Services Act 2012.

If, during the provision of taxation services to you, you need advice on investments, we may have to refer you to someone who is authorised by the Financial Conduct Authority or the Prudential Regulation Authority.

We are not authorised by the Financial Conduct Authority or the Prudential Regulation Authority.

In so far as permitted to do so by law or professional guidelines, we reserve the right to exercise a lien over all funds, documents and records in our possession relating to all engagements for you until all outstanding fees and disbursements are paid in full.


Limitation of liability

We will provide our services with reasonable care and skill. Our liability to you is limited to losses, damages, costs and expenses caused by our negligence.

Exclusion of liability for loss caused by others We will not be liable if such losses, penalties, surcharges, interest or additional tax liabilities are due to the acts or omissions of any other person or due to the provision to us of incomplete, misleading or false information or if they are due to a failure to act on our advice or a failure to provide us with relevant information.

Exclusion of liability in relation to circumstances beyond our control
We will not be liable to you for any delay or failure to perform our obligations under this engagement letter if the delay or failure is caused by circumstances outside our reasonable control.

Exclusion of liability relating to the discovery of fraud, etc.
We will not be responsible or liable for any loss, damage or expense incurred or sustained if information material to the service we are providing is withheld or concealed from us or wrongly misrepresented to us or from fraudulent acts, misrepresentation or wilful default on the part of any party to the transaction and their directors, officers, employees, agents or advisers.

This exclusion shall not apply where such misrepresentation, withholding or concealment is or should (in carrying out the procedures which we have agreed to perform with reasonable care and skill) have been evident to us without further enquiry.

Indemnity for unauthorised disclosure
You agree to indemnify us and our agents in respect of any claim (including any claim for negligence) arising out of any unauthorised disclosure of our advice and opinions, whether in writing or otherwise. This indemnity will extend to the cost of defending any such claim, including payment at our usual rates for the time that we spend in defending it.

Limitation of aggregate liability
Where the engagement letter specifies an aggregate limit of liability, then that sum shall be the maximum aggregate liability of Italian Accountants Ltd its director, agents and employees to all persons to whom the engagement letter is addressed and also any other person that we have agreed with you may rely on our work. By signing the engagement letter, you agree that you have given proper consideration to this limit and accept that it is reasonable in all the circumstances. If you do not wish to accept it you should contact us to discuss it before signing the engagement letter.

You have agreed that you will not bring any claim of a kind that is included within the subject of the limit against any of our principals/ directors/members or employees on a personal basis.


Limitation of Third Party Rights

The advice and information we provide to you as part of our service is for your sole use and not for any third party to whom you may communicate it unless we have expressly agreed in the engagement letter that a specified third party may rely on our work. We accept no responsibility to third parties, including any group company to whom the engagement letter is not addressed, for any advice, information or material produced as part of our work for you which you make available to them. It may not be used or relied upon for any other purpose or by any other person other than you without our prior written consent. A party to this agreement is the only person who has the right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

If our advice is disclosed to any third party (with or without our consent), then we accept no responsibility or liability to that third party for any consequences that may arise to them, should they rely on the advice.

If it is proposed that any documents or statement which refer to our name are to be circulated to third parties, please consult us before they are issued.


Money Laundering Regulations 2017

In accordance with the Proceeds of Crime Act, The Terrorism Act, Money Laundering Regulations 2017 and The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 you agree to waive your right to confidentiality to the extent of any report made, document provided or information disclosed to the National Crime Agency (NCA).

You also acknowledge that we are required to report directly to the NCA without prior reference to you or your representatives if during the course of undertaking any assignment the person undertaking the role of Money Laundering Reporting Officer becomes suspicious of money laundering.

As with other professional services firms, we are required to have appropriate risk based policies and procedures for assessing and managing money laundering risks: this applies at the start of any business relationship and through the lifetime of the relationship. This includes undertaking appropriate customer due diligence. We may request from you, and retain, such information and documentation as we require for these purposes and/or make searches of appropriate databases. If we are not able to obtain satisfactory evidence of your identity, we will not be able to proceed with the engagement.

Copies of such records created as part of the client due diligence process, including any non-engagement documents relating to the client relationship and ongoing monitoring of it, will be retained by us for a period of five years after we cease to act for the business unless we are required to retain them under statutory obligation, or to retain them for legal proceedings, or you consented to the retention in which case the records will be retained for not more than 10 years.


Notification

We shall not be treated as having notice, for the purposes of our accounts/tax responsibilities, of information provided to members of our firm other than those engaged on the specific assignment (for example, information provided in connection with accounting, taxation and other services).


Period of engagement and termination

Unless otherwise agreed in the engagement covering letter our work will begin when we receive your implicit or explicit acceptance of that letter. Except as stated in that letter we will not be responsible for periods before that date.

Each of us may terminate this agreement by giving not less than 30 days notice in writing to the other party except where you fail to cooperate with us or we have reason to believe that you have provided us or HMRC with misleading information, in which case we may terminate this agreement immediately. Termination will be without prejudice to any rights that may have accrued to either of us prior to termination.

In the event of termination of this contract, we will endeavour to agree with you the arrangements for the completion of work in progress at that time, unless we are required for legal or regulatory reasons to cease work immediately. In that event, we shall not be required to carry out further work and shall not be responsible or liable for any consequences arising from termination.


Professional rules and statutory obligations

We will observe and act in accordance with the by-laws, regulations and ethical guidelines of the Association of Chartered Certified Accountants (ACCA) and will accept instructions to act for you on this basis. In particular, you give us the authority to correct errors made by HMRC where we become aware of them. We will not be liable for any loss, damage or cost arising from our compliance with statutory or regulatory obligations. You can see copies of these requirements at our offices. The requirements are also available online at www.accaglobal.com/en.html.


Provision of Services Regulations 2009

In accordance with our professional body rules we are required to hold professional indemnity insurance. Details about the insurer and coverage can be found at at our offices.


Quality control

As part of our ongoing commitment to providing a quality service, our files are periodically reviewed by an independent regulatory or quality control body. These reviewers are highly experienced and professional people and, of course, are bound by the same rules for confidentiality as our principal.


Quality of service

We aim to provide a high quality of service at all times. If you would like to discuss with us how our service could be improved or if you are dissatisfied with the service that you are receiving please let us know by contacting Vincenzo Quinto.

We undertake to look into any complaint carefully and promptly and to do all we can to explain the position to you. If we do not answer your complaint to your satisfaction you may take up the matter with the Association of Chartered Certified Accountants. This should be done promptly and in any event no later than 6 months after exhausting our procedures.

Should ACCA consider a complaint appropriate for conciliation, it is competent to offer alternative dispute resolution through its Conciliation Service. ACCA’s website address is www.accaglobal.com. Please note that, under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) conciliation process we are not obliged to submit to ACCA’s conciliation process.


Reliance on advice

We will endeavour to record all advice on important matters in writing. Advice given orally is not intended to be relied upon unless confirmed in writing. Therefore, if we provide oral advice (for example during the course of a meeting or a telephone conversation) and you wish to be able to rely on that advice, you must ask for the advice to be confirmed by us in writing.


Retention of papers

You have a legal responsibility to retain documents and records relevant to your tax affairs. During the course of our work we may collect information from you and others relevant to your affairs. We will return any original documents to you if requested. Documents and records relevant to your affairs are required by law to be retained as follows:

Individuals, trustees and partnerships

with trading or rental income: 5 years and 10 months after the end of the tax year;

otherwise: 22 months after the end of the tax year.

Companies, LLPs and other corporate entities

6 years from the end of the accounting period.


Whilst certain documents may legally belong to you we may destroy correspondence and other papers that we store, electronically or otherwise, which are more than 7 years old. You must tell us if you require the return or retention of any specific documents for a longer period.


Timetable

The services we undertake to perform for you will be carried out on a timescale to be determined between us on an ongoing basis.

The timing of our work will in any event be dependent on the prompt supply of all information and documentation as and when required by us.

Data Protection Policy

 

Introduction

In the course of its business, the Firm needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.

This policy describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed at all times by the Firm, its employees and all those within its scope as set out below.

 

Why this policy exists

This Policy provides help and guidance to our staff and managers in:

  • complying with data protection law and following good practice
  • protecting the rights of staff, clients, partners and business contacts
  • being open about how we use personal data, how we store it and when we secure it
  • protecting the Firm against the risks of both inadvertent and intentional data breaches

 

Scope of the Policy

The Policy applies to all employees; fixed term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the Firm’s files and/or computer systems. Collectively these individuals are hereafter referred to as ‘users’. All users have responsibility for complying with the terms of this Policy.

 

Data Protection Law

What is personal data?

The GDPR regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We hold data relating to our employees, some of which is classed as sensitive personal data (also known as ‘special category data’) where, for example, it concerns a person’s health and medical status. We also hold a wide range of information about clients, including highly confidential personal financial data such as their individual tax information.

These rules apply to all data stored in any structured way, including both paper files and electronically.

 

What does the law say?

 The Data Protection Principles

The GDPR contains a number of key principles which apply to the collection and processing of personal data and which underpin everything that follows.

Lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy Personal data shall be accurate and, where necessary, kept up to date
Storage limitation Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

For the purposes of the law and these principles, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In relation to the majority of our data, we are data controllers, although where we are responsible for eg looking after a client’s payroll, they are the data controller and we are ‘data processors’. A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Our responsibilities as data processors are dealt with later in the Policy.

 

Key Responsibilities
  • The Partners are ultimately collectively responsible for ensuring that the Firm meets its legal obligations and that this Policy is followed
  • The Data Protection Officer Vincenzo Quinto is responsible for:
    • keeping the partners updated about data protection responsibilities, risks and issues
    • reviewing all data protection procedures and related policies,in line with anagreed schedule
    • arranging data protection training and advice for everyone to whom this Policy applies
    • handling data protection queries from staff and contractors
    • dealing with requests from anyone whose data we hold for access to that data (known as ‘subject access requests’)
    • checking and approving any contracts or agreements with third parties that may handle our personal data
    • checking and approving any contracts or agreements with third parties whose personal data we may handle
    • ensuring that policies on processing, retention, storage and deletion of data are adhered to and relevant documentation is maintained to evidence compliance
  • The IT Manager is responsible for:
    • ensuring that all systems, services and equipment used for storing data meet acceptable security standards
    • performing regular checks to ensure that security hardware and software is functioning properly
    • evaluating any third-party services the Firm is considering using to store or process data. For example, cloud computing services
  • The director Vincenzo Quinto is responsible for:
    • approving any data protection statements attached to communications such as emails and letters
    • where necessary working with other staff to ensure marketing initiatives are compliant with data protection principles
    • ensuring that records of consents and withdrawal of consents to marketing are maintained

 

Lawful, Fair and Transparent Data Processing
We are responsible as a Firm for ensuring that any personal data we hold is processed in accordance with the principles laid out above. We are permitted to process data where one of the following legal bases applies:
  • the data subject has given their consent. An example might be where a client has agreed to be contacted about a new tax advice service we are providing
  • the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering a contract with them. An example of this is where we need to retain and file personal information about our clients in order to finalise their accounts or tax affairs, or where a potential client gives us their personal data in order for us to be able to quote for advice that they need, and in order for them to decide whether to instruct us
  • the processing is necessary for compliance with a legal obligation to which the data controller is subject. An example of this might be where we pass personal data to the relevant money laundering authorities in a situation where we have an obligation to do so
  • the processing is necessary to protect the vital interests of the data subject or another natural person. An example of this might be where we pass on information to the next of kin of an employee who is gravely ill
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This is usually used by public authorities carrying out vital functions such as provision of public utilities or public safety
  • the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the fundamental rights and freedoms of the data subject and their right to privacy in relation to their personal data. This is a difficult exception to generalise about, but it can be used by business where they have legitimate commercial aims which can override the data subjects’ interests. An example might be the chasing of a legitimate debt, investigating potential dishonesty of an employee, investigating a grievance about sexual or racial harassment. These legitimate aims may require some processing of personal data which may be justified in that context. Any user who wishes to use this basis would be advised to speak to the DPO to discuss it.

 

Sensitive Personal Data or ‘Special Category Data’

This data has a special status under the law, as it is particularly personal in nature. It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do so or a clear legal basis. We will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.

 

Other Personal Data

The Firm will adhere to the following principles:

  • the Firm collects and processes the personal data set out below, this includes:
    • personal data obtained directly from you.
  • the Firm only collects processes and holds personal data for the specific purposes set out, or for other purposes expressly permitted by the GDPR
  • we keep data subjects informed at all times of the purpose(s) for which the Firm processes their personal data
  • where personal data will be disclosed to third parties, we will only do so where we are legally required to do so, eg to HMRC or to money laundering authorities, or where we have the data subjects’ free and informed consent to the disclosure
  • we will only collect and process personal data for and to the extent necessary for those specified purpose(s)
  • in respect of personal data that we collect and process, we will
    • keep it accurate and up to date
    • grant the data subject ther right to rectify any inaccurate data inaccordance with their right to do so
    • regularly check the data and ensure that all reasonable steps are taken to promptly rectify or delete any mistakes or inaccuracies as appropriate
    • not keep personal data any longer than is necessary bearing in mind the purpose(s) for which it was collected
    • take all reasonable steps to delete or dispose any data which is no longer required promptly
    • adhere to our Retention Policy, which is available to all staff
    • take measures to ensure the security of the data in line with the measures set out below

 

Data Processing

We act as data processors for a number of clients (the data controllers), receiving personal data relating to their employees and processing it for the purpose of payment of salary, and appropriate deductions. We do not expect to receive any data which is sensitive personal data in relation to this. We will:

 

  • only process the personal data provided in accordance with the data controller’s instructions and in accordance with our contract with them
  • implement technical and organisational measures in line with the GDPR to ensure the fair and lawful processing and the security of such data
  • not disclose the data or transfer it to any third party without the explicit permission of the data controller, unless we are legally obliged to do or it is permitted and authorised by the contract with the data controller
  • ensure that appropriate records are kept in order that we are able to demonstrate compliance with GDPR principles
  • comply with our obligations to notify the regulatory authorities of any data breach.

 

Accountability and Record Keeping
The Firm will keep written internal records of all personal data collection, holding and processing, and this will incorporate the following:
  • name and details of the Firm, its DPO and any third party data processors
  • the purposes for which the Firm collects, holds and processes personal data
  • details of the categories of personal data collected, held and processed by the firm and the categories of data subject to which the data relates
  • details of any transfers of data to non-EEA countries including the mechanism for doing so and security measures taken
  • details of the Firm’s retention policy (see Data Retention Policy)
  • detailed descriptions of all technical and organisational measures taken by the Firm to ensure the security of personal data.

 

Privacy by Design – Data Impact Assessments

Part of the Firm’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the GDPR. The Firm will always ensure that all such changes are designed and implemented in accordance with the Regulation, and that the DPO is consulted and their recommendations are taken into account in the planning and introduction of such changes.

In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the Regulation, we will carry out a Data Impact Assessment, overseen by the DPO. This will deal with:

  • the type(s) of personal data that will be collected, held and processed
  • the purpose for which it is to be used
  • the Firm’s objectives in processing this data and making this innovation
  • how the personal data is to be used
  • internal and external parties to be consulted
  • why we need the data and how the collection of the data is proportionate to our need for it
  • what risks there are for data subjects
  • what risks the Firm runs, and
  • what measures we are proposing to minimise and protect against the risks.

 

Providing Information to Data Subjects

We are required to ensure that, when we collect and process personal data, the data subject is aware of the purposes for which this is being done, and what is happening to the data. We therefore will ensure that the following principles are followed:

  • where we collect personal data directly from the data subject, we will inform them of the purpose for which it is being collected at the time of collection
  • where we are obtaining personal data from a third party, we will inform the data subject why we are doing this
    • if we use the details to contact them, at the time of first contact, or
    • if we are going to pass the information to a third party, at the time this is done, or
    • as soon as is reasonably possible and in any event, within one month
  • All data subjects will be provided with the following information:
    • details of the Firm, including the name of the DPO
    • why the data is being collected and processed, and the legal basis for this
    • if applicable, any legitimate interests justifying the Firm’s collection and processing of data
    • where personal data is not collected directly from the subject, the categories of data collected and processed
    • where the data is to be transferred to third party/parties, their details
    • where data is to be transferred outside EEA, details of the transfer
    • details of data retention
    • details of the data subject’s rights
      • under GDPR
      • to withdraw consent to processing at any time
      • to complain to the Information Commissioner’s Office (ICO)
  • details of any legal or contractual requirement which means that the Firm needs to collect this information and process it, and what the implications are if it cannot do so.
  • details of any automated decision making or profiling that will take place using personal data, how the decisions will be made and their consequences

 

Data Subject Access

‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it. Where a subject access request is being made to us as a payroll processor, we will refer the employee to the data controller (who is their employer or client) to deal with the request.

  • such requests need to be made by the data subject in writing
  • they should be addressed to the DPO, who will deal with the request
  • the Firm will usually respond to them within one month, but we may need to extend it for a period of up to a further two months if it is a complex request or there are multiple requests. In that situation, the data subject(s) will be informed.
  • the Firm will not charge the data subject any fee for responding to the SAR, unless the subject is asking for multiple copies of data already supplied or unless the request is manifestly unfounded or excessive.

 

Rectification of Personal Data

Where a data subject informs us that data we are holding about them is inaccurate or incomplete and requests that it is corrected, we will rectify the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months.
Where the incorrect data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is rectified.

 

Erasure of Personal Data

Data subjects have a right to require the Firm to erase personal data held about them when:

  • the Firm no longer needs the data it is holding for the purposes for which it was originally collected
  • the data subject wishes to withdraw their consent to the Firm holding and processing the data
  • the data subject objects to the Firm holding and processing the data, and there is no overriding legitimate interest which allows us to continue to do so
  • the personal data has been processed unlawfully
  • the personal data needs to be erased in order for the Firm to comply with a particular legal obligation.

Where we are obliged to do so, we will erase the information and inform the data subject that we have done so, within one month of the request. Again, in complex cases, we may extend that period by up to two months, and again where the data is held by third parties to whom it has been disclosed, we will ensure that they are informed and that the data that they hold is erased.

 

Restriction of Personal Data Processing

Data Subjects have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing takes place, and we will inform any third parties to whom we have disclosed the data about the restriction on processing (unless it is impossible to do so or would involve disproportionate effort).

 

Objections to Personal Data Processing

Data subjects have a right to object to us processing their personal data based on our legitimate interests or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject, or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately.

Personal Data, Collected, Held and Processed
Reference
Number
Type of Data Purpose
1 Personal details of employees, such as names, addresses, contact details, age, sex etc The administration of employment contracts
2 Personal details of clients, such as names addresses, contact details, age, sex etc To provide accountancy and related services to clients, in particular for the administration of their tax and personal financial affairs and to comply with both their and our legal obligations including in relation to tax and money laundering.
To market our services to clients, in accordance with the GDPR
3 Education and Training details of our prospective employees, employees and contractors Collected in the course of recruitment with a view to selection, and maintained to track their career progression
4 Financial Details of employees and contractors ie matters related to income and payroll, tax details, expenses claimed, court orders, pensions, insurance Collected and maintained in order to ensure timely and accurate payment of staff, and proper accounting for tax purposes
Data Security – Transferring Personal Data and Communications
We will ensure that we take the following measures with respect to all communications containing personal data:
  •  all emails containing personal data are encrypted.
  • all documents prepared for clients such as tax returns, and final accounts will be held in a separate client area, hosted by a reputable IT service provider. Access to the area is controlled. Clients will be provided with unique, confidential log in details to allow them to view their documents
  • all emails containing personal data will be marked ‘Confidential’
  • personal data contained in the body of an email, whether sent or received, should be copied from the body of the email and stored securely, with the email being deleted
  • all temporary files containing any personal data should be deleted without delay
  • where personal information is being sent by fax, the recipient should be informed of its imminent arrival to allow them to monitor and collect the document immediately
  • all personal data sent in hard copy form should be delivered to the recipient in person, in a container marked ‘Confidential’, or sent by recorded delivery or courier, as appropriate.

 

Data Storage and General Security
  • all electronic copies of personal data should be stored securely using privilege levels and passwords
  • regular password changes will be enforced and the number of logins will be restricted
  • passwords should never be written down or shared between any employees, agents, contractors or other persons working on behalf of the Firm, no matter what their level of seniority.
  • computer equipment belonging to the Firm will be sited in a secure location within the office and in a position where they cannot be viewed by members of the public
  • computer terminals must not be left unattended, and should be logged off at the end of the session
  • personal data is backed up daily and is stored onsite and offsite location and where appropriate is encrypted
  • all software must be kept up to date and Vincenzo Quinto shall be responsible for ensuring that all security-related updates are installed promptly, unless there are valid technical reasons for not doing so
  • no software should be installed on the Firm’s system without the prior approval of Vincenzo Quinto
  • personal data should not be stored on any mobile device such as laptops, tablets and smartphones without the approval of the DPO and, where it is held, only in accordance with his or her instructions and limitations
  • personal data must never be transferred on to an employee’s personal device and we will never transfer such data onto a device owned by a contractor or agent unless they have agreed to comply fully with the letter and spirit of this Policy and with the GDPR
  • all manual files must be stored securely in locked cabinets and should not be left unsecured in the office overnight
  • computer print outs containing personal information should be destroyed without delay and should never be retained for scrap paper
  • where personal data is to be erased, or otherwise disposed of, this will be done in accordance with the Firm’s Data Retention Policy.

 

Access to Personal Data

In relation to accessing personal data:

  • employees must never access data either on a computer or in paper form, without having authority to do so
  • personal data must not be shared informally and if an employee, agent, contractor, or any other third party wants access to the data, it must be formally requested from the DPO
  • personal data must be handled with care, and should not be left unattended or in view of unauthorised employees, contractors or agents whether on paper or on a screen
  • where personal data held by the Firm is being used for marketing purposes, it is the responsibility of Vincenzo Quint to ensure that appropriate consents are obtained

 

Organisational Measures

The Firm will take the following steps in relation to the collection, holding and processing of personal data:

  • all employees, agents, contactors or other parties working on our behalf will be made fully aware of their individual responsibilities, and the responsibilities of the Firm, in relation to data privacy and the GDPR and they will be provided with a copy of this Policy
  • in respect of these individuals and of personal data held by the Firm:
    • only those persons who need access to particular personal data in order to complete their assigned duties will be granted such access
    • all persons will be appropriately trained and supervised in handling personal data
    • all persons will be encouraged to exercise caution in discussing work related matters within the workplace
    • all employees are bound by strict duties of professional confidentiality in discussing any work related matters outside the workplace, which will be adhered to and enforced
  • our methods of collecting, holding and processing data will be regularly evaluated and reviewed and the personal data held by the Firm will be reviewed periodically, as set out in our Data Retention Policy
  • we will keep the performance of our agents, contractors and third parties under review and, not only will we ensure that they are required to handle personal data in accordance with the GDPR and our Policy, but we will also ensure that they are held to the same standards as our own employees both contractually and in practice
  • where any agent, contractor or third party fails in their obligations under this Policy, we will ensure that they are required to indemnify us for costs, losses, damages or claims which may arise as a result.

 

Transfer of Personal Data outside the EEA

The Firm may from time to time transfer personal data outside the EEA. This will only be done if one or more of the following applies to the transfer:

  • it is to a territory or sector within that territory that the European Commission has determined has an adequate level of protection for personal data, or appropriate safeguards as determined by the supervisory authorities
  • it is made with the informed consent of the data subject
  • it is necessary for the performance of a contract between the data subject and the Firm, or for pre-contractual steps taken at the request of the data subject
  • it is necessary for important public interest reasons, or for the conduct of legal claims, or to protect the vital interests of the data subject
  • it is made from a register that under UK or EU law is intended to provide information to the public and which is open to the public or to those able to show a legitimate interest in accessing it.

 

Data Breach Notification

All personal data breaches must be reported immediately to the DPO.

If such a breach occurs, and it is likely to result in a risk to the rights and freedoms of data subjects eg financial loss, breach of confidentiality, reputational damage, the DPO is required to ensure that the ICO is informed without delay and, in any event, within 72 hours of the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO also needs to ensure that the data subjects affected by the breach are informed directly and without undue delay. The following information must be provided:

  • the categories and approximate numbers of data subjects affected
  • the categories and approximate numbers of personal data records concerned
  • the name and contact details of the Firm’s DPO
  • the likely consequences of the breach
  • details of the measures taken, or proposed, to deal with the consequences of the breach.

 

Implementation of the Policy

This Policy is effective as of 25th May 2018. No part of the Policy is retrospective in effect and applies to matters occurring on or after 25th May 2018.
This Policy has been approved and authorised by: Name: Vincenzo Quinto
Position: Director
Date:21/05/2018
Due for Review by: Vincenzo Quinto

 

T: 0208 3717 892 E: vincenzo@italianaccountants.com – www.italianaccountants.com
Unit 2 Bedford Mews, East Finchley, London, N2 9DF, UK
Registered office as above. Registered in England no 07037135
VAT number 191683284