Privacy Policy

Scope
This policy applies to DRP + Co, which is the trading name of DRP + CO Accountants Limited. a company registered to carry out audit work in the UK and Ireland by the Institute of Chartered Accountants in England and Wales.
The privacy policy explains how we use any personal information we collect about you when you use this website and our wider services. Please see our Job Applicant Privacy Policy on the main page.

Data Controller
The data controller is DRP + Co, 1st Floor, 6 St Johns Court, Upper Fforest Way, Swansea, SA6 8QQ and is responsible for your personal data.
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.

The data privacy manager is Eric Davies, Director and can be contacted at the above address, by emailing privacy@drpco.co.uk or by calling 01792 791591.

Changes to our Privacy Policy and your duty to inform us of changes
We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated on 16th May 2018 and the Version number is 1.0 in line with the new GDPR guidelines.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
The data we collect about you
DRP + Co, as a Data Controller, is bound by the requirements of the General Data Protection Regulations (GDPR).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
 Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
 Contact Data includes billing address, delivery address, email address and telephone numbers.
 Financial Data includes bank account details.
 Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
 Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

If you fail to provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

How will we use the information about you and why
At DRP + Co we take your privacy seriously and will only use your personal information to provide the Services you have requested from us, detailed in your Letter of Engagement and supporting Schedules and as we have identified above. We will only use this information subject to your instructions, data protection law and our duty of confidentiality.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

 Where we need to perform the contract we are about to enter into or have entered into with you.
 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
 Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us at the details set out above.

We may receive personal data from you for the purposes of our money laundering checks, such as a copy of your passport. This data will only be processed for the purposes of preventing money laundering and terrorist financing, or as otherwise permitted by law or with your express consent.
Our work for you may require us to pass your information to external third parties and/or third parties to whom we may choose to transfer data, for the purposes of completing tasks and providing the Services to you on our behalf. However, when we use external third parties, we disclose only the personal information that is necessary to deliver the Services and we do not allow them to use your personal data for their own purposes and require them to keep your information secure.
We will not share your information for marketing purposes with companies so that they may offer you their products and services.
Purposes for which we will use your Personal Data
You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge the Services (as defined in our Letter of Engagement and supporting Schedules) and for other related purposes including;

• Updating and enhancing client records
• Analysis for management purposes
• Carrying out credit checks in relation to you
• Statutory returns
• Legal and regulatory compliance
• Crime prevention.

Marketing
We would like to send you information about our Tax Investigations Service.
You have a right at any time to stop us from contacting you for marketing purposes. To opt out please email: privacy@drpco.co.uk.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service provided to you.

Transferring your information outside of Europe
We do not generally transfer your personal data outside the European Economic Area (EEA) however if you use our services while you are outside the EU, your information may be transferred outside the EU to give you those services.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long will we hold your data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us. For example, by law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being clients for tax purposes.
Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
You have the right to:
 Request access to your personal data (commonly known as a “data subject access request”).
 Request correction of the personal data that we hold about you.
 Request erasure of your personal data.
Note, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
 Request restriction of processing of your personal data.
 Request the transfer of your personal data to you or to a third party.
 Withdraw consent at any time where we are relying on consent to process your personal data.
Note, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

Complaints
If you feel that your personal data has been processed in a way that does not meet the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell you of the progress and outcome of your complaint. The supervisory authority in the UK is the Information Commissioner’s Office.

Glossary of Terms

Personal data
Personal data relates to any information about a natural person that makes you identifiable which may include (but is not limited to):
• Names and contact information i.e. emails and telephone numbers
• National Insurance Numbers
• Employment history
• Employee numbers
• Credit History
• Personal tax
• Payroll and accounting data

Sensitive personal data
Sensitive personal data refers to the above but includes genetic data and biometric data. For example:
• Medical conditions
• Religious or philosophical beliefs and political opinions
• Racial or ethnic origin
• Convictions
• Biometric data

Data Controller
For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.
Data Processor
A “data processor” is a person or organisation which processes personal data for the controller.

Data Processing
Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.

Legitimate Interest
Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
External Third Parties
 Service providers acting as processors who provide IT and system administration services.
 Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
 HM Revenue & Customs, Pension providers, regulators and other authorities acting as processors or joint controllers who require reporting of processing activities in certain circumstances.