C&GB Associates Privacy Policy
C&GB Associates are committed to protecting the privacy of our clients. See below for details about how we keep our clients personal data safe and explain how we manage, share and keep client data in accordance with GDPR.
Data Protection Officer
We have appointed a Data Protection Officer (DPO), who can be contacted in the following ways should you have any questions or feedback regarding your personal identifiable information, reporting breaches and about the way your data is handled:
Email: mail@cgb-associates.com
Mail: Data Protection Officer, C&GB Associates, 8-10 Millgate, Thirsk, North Yorkshire, YO7 1AA
ICO Number: ZA039234
Where we collect your data from
We may collect personal identifiable information about you in the following ways:
- When you or your employer engages us to provide our services
- When you request a quote from us for the provision of services
- When you contact us on the phone or at our office
- When you use our website
- When you apply to work for us
- When you send emails or letters to us
- When you contact us via social media
- When you sign up to our newsletter
- From third parties or publicly available sources (for example HMRC or Companies House)
What personal data we hold
As C&GB Associates is a processor of information for clients, bookkeeping, accounts, tax return, CIS and payroll information is retained. See our Data Map for further details as to what data we hold, where it is stored and the purpose of holding the data.
Where is data stored?
Client Database
Certain client data is held within an online database which is also a secure client portal to send all documents of a sensitive nature to clients.
Engagement letters will reference GDPR based on ICAEW engagement letters, and disengagement letters will be sent when a client leaves, again based on ICAEW engagement letters.
Client data that is stored in the C&GB Associates database includes:
Individual/Partnership/Trust
- Name
- Address & time at address
- Date of birth
- National Insurance number
- Telephone
- Mobile
- UTR
- Partner’s name
- Business trading name
- Business address
- Business telephone
- Personal Tax due
- VAT number (if applicable)
- Employer PAYE reference (if applicable)
- Employer PAYE payment reference (if applicable)
Company/Charity
- Company/charity name
- Company/charity number
- UTR
- Address
- Telephone
- Mobile
- Tax due
- Directors personal details (name, address, date of birth)
- Shareholders personal details (name, address, date of birth)
- VAT number (if applicable)
- Employer PAYE reference (if applicable)
- Employer PAYE payment reference (if applicable)
- Corporation Tax due
C&GB Associates Systems
Data that is not held in the Cloud, is stored on a server and on a password protected machine. Both the server and this machine are backed up daily to external hard drives, and the server is also backed up via a NAS drive within the office. Backups are carried out at the end of each day, and alternate backup drives are taken off site by either of the Partners.
All machines (computers/laptops/server) use ESET EndPoint security that is automatically updated by ESET on a daily basis.
All computers are password protected.
How long is personal data stored?
We will only retain your personal data for as long as is necessary to fulfill the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:
- The requirements of our business and the services provided
- Any statutory or legal obligations
- The purposes for which we originally collected the personal data
- The lawful grounds on which we based our processing
- The types of personal data we have collected
- The amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
After such time, we will securely delete or destroy your personal data. Paper documentation is shredded after 7 years for all clients, except information that may be required in future years for tax purposes. Once 7 years has passed from a client leaving, all remaining paper documentation will be shredded.
Who we share your personal data with (Third Parties)
In order to provide you with our services and meet our legal obligations, we only share your data with C&GB Associate employees and third parties, in the following circumstances:
- To fulfill the services we have been engaged to perform
- To verify your identity
- To authorise debit/credit card payments and any other transactions authorised by the client
- To meet legal obligations, eg taxation or criminal investigation
- If C&GB Associates is acquired by a third party, personal data held by us relating to our clients, will be one of the assets transferred to the acquirer.
We’ll never make your personal data available to anyone outside our company for them to use for their own marketing purposes without your prior consent.
Request a transfer of data
You may ask us to transfer your personal data to a third party. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
What happens when a client leaves
When a client stops being a client, any electronic information is kept in an archive folder. It is archived so that a client/successor accountant or HMRC can request this information in future periods, except Xero information, which is held for a period of time by Xero as stated by Xero’s policies.
A client will be changed to ‘Inactive’ on the client database. This will make the client data not show in the general use of the database and can only be accessed through the archived platform.
Data Map
The following tables show what type of data we store, how we use the data and who is responsible for the data we hold.
GDPR Data Audit Form – Payroll Processor | |
Type of Data | Personal information about client PAYE schemes & employees to prepare client payroll |
Description of data | Employees: · Name · Address · NI number · Date of birth · Salary rate · Pension provider · Tax code · Staff identifier Client: · Employer PAYE scheme number · Employer PAYE payment reference |
Employee responsible | Payroll processors: Authorised payroll processors |
Date of consent to hold data | Date client requests C&GB Associates to prepare payroll for them |
Where the data is stored | Payroll software |
Source of the data | Client provides employee data |
Purpose of the data | To prepare client payroll |
How the data is protected in its storage | Payroll software is installed on computers and is password protected |
Usage restrictions | Authorised payroll processors |
Usage rights | Authorised payroll processors |
Usage frequency | Dependent on when payroll is required to be prepared |
Retention period | All payroll details are kept in the payroll software in the relevant fiscal year When an client stops being a client, the payroll information is moved to an archive client file |
GDPR Data Audit Form – Bookkeeping & Accounts Processor | |
Type of Data | Personal information about clients to prepare bookkeeping, management accounts and annual accounts |
Description of data | · Name · Address · Trading name · VAT number · Client’s customer names & addresses · Client’s supplier names & addresses · Client’s bank sort code & account number · Payments and receipts |
Employee responsible | All staff members |
Date of consent to hold data | Date client requests C&GB Associates to carry out bookkeeping/accounts for them |
Where the data is stored | · Excel in client folders · Xero |
Source of the data | Client provides data via paperwork or through Xero bank feeds |
Purpose of the data | To prepare client bookkeeping and accounts |
How the data is protected in its storage | Excel is installed on computers that are password protected Xero is cloud software that is password protected for each user |
Usage restrictions | No usage restrictions for staff members |
Usage rights | All staff members work on all clients for bookkeeping and accounts |
Usage frequency | Dependent on when bookkeeping and accounts are required to be prepared |
Retention period | All paper records are destroyed after 7 years, unless required for tax purposes for future years All excel files are retained When a client stops being a client, the paperwork information is destroyed after 7 years of ceasing to be a client. Excel files are moved to a client archive folder |
GDPR Data Audit Form – CIS Processor | |
Type of Data | Personal information about client sub-contractors to prepare CIS vouchers & CIS monthly returns |
Description of data | Sub-contractors: · Name · Address · Trading name · NI number · UTR · Tax treatment for CIS purposes Client: · Employer PAYE scheme number · Employer PAYE payment reference |
Employee responsible | CIS processors: Authorised CIS processors |
Date of consent to hold data | Date client requests C&GB Associates to prepare CIS for them |
Where the data is stored | CIS Software & Excel |
Source of the data | Client provides CIS data |
Purpose of the data | To prepare client CIS vouchers and monthly returns |
How the data is protected in its storage | CIS Software and Excel is installed on computers that are password protected |
Usage restrictions | Only authorised CIS processors |
Usage rights | Only authorised CIS processors |
Usage frequency | Dependent on when CIS is required to be prepared |
Retention period | All CIS details are kept in CIS Software/Excel in the relevant fiscal year When a client stops being a client, the CIS information is moved to an archive folder |
GDPR Data Audit Form – Tax Return Processor | |
Type of Data | Personal information about client to prepare client tax return |
Description of data | · Name · Address · NI number · Telephone number · Date of birth · Company/trust name · Employment details · Tax paid · Savings/Dividend income · Self-employment details · Any other information required to complete a tax return |
Employee responsible | Tax return processors: Authorised Tax return processors |
Date of consent to hold data | Date client requests C&GB Associates to prepare tax returns for them |
Where the data is stored | Tax return software |
Source of the data | Client provides tax return data |
Purpose of the data | To prepare client tax return |
How the data is protected in its storage | Tax return software is installed on computers or on Cloud software that is password protected |
Usage restrictions | Only authorised tax return processors |
Usage rights | Only authorised tax return processors |
Usage frequency | Annually |
Retention period | All tax return details are kept in Tax return software in the relevant tax year When a client stops being a client, the tax return information is moved to an archive folder |
GDPR Data Audit Form – Company Secretarial Processor | |
Type of Data | Personal information about shareholders & PSCs to prepare company confirmation statements/charity commission annual returns |
Description of data | · Name · Address · Date of birth · Shareholding · Company number · Companies House passcode |
Employee responsible | Authorised company secretarial processors |
Date of consent to hold data | Date client requests C&GB Associates to prepare confirmation statements/annual returns for them |
Where the data is stored | Excel spreadsheet / Companies House / Charity Commission |
Source of the data | Client provides relevant data / Companies House / Charity Commission |
Purpose of the data | To prepare client confirmation statement/annual return |
How the data is protected in its storage | Excel is installed on computers that are password protected |
Usage restrictions | Company secretarial processor has login details to Companies House/ Charity Commission |
Usage rights | Company secretarial processor has login details to Companies House/ Charity Commission |
Usage frequency | Annually |
Retention period | All Companies House / Charity Commission details are kept in Excel When an employer stops being a client, the login information is moved to an archive spreadsheet |
GDPR Data Audit Form – Money Laundering Compliance Controller | |
Type of Data | Personal information to verify the individual/company/charity |
Description of data | Individual: · Passport/driving licence · Utility bill Company/Charity: · Incorporation documents · Companies House information · Charity Commission information · Directors/trustees individual details as above |
Employee responsible | All staff may request and review money laundering compliance information |
Date of consent to hold data | When individual/company becomes an client |
Where the data is stored | Client paper files |
Source of the data | Client |
Purpose of the data | To verify the client for money laundering compliance |
How the data is protected in its storage | Information is kept in locked filing cabinets or via ALMCC password protected website |
Usage restrictions | No restrictions for staff members |
Usage rights | All staff can access money laundering compliance information |
Usage frequency | On engagement & 3 year review |
Retention period | When a client leaves, the AMLCC software is undated that they are an archived client All paper information is shredded after 7 years of a client leaving in relation to money laundering |
Subject Access Requests
Examples of people who may request a subject access request include:
- Ex-clients
- Someone previously employed by a client
- Ex-business partner of a client
A fee cannot be charged to provide a copy of the information most people might request. As a data controller, it does not seem possible to provide direct access to the information on their data via remote access to a secure system without incurring a disproportionate expense. The relevant information will be provided in a written document, or they will be allowed access to C&GB Associate’s office to see their personal data held on our computer systems.
Your rights
You have certain rights which are set out in the law relating to your personal data. The most important rights are set out below:
Getting a copy of the information we hold
You can ask us for a copy of the personal data which we hold about you, by writing to the DPO. You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive. In such circumstances we can charge a reasonable fee or refuse to comply with your request. We will try to respond to all legitimate requests within one month.
Telling us if information we hold is incorrect
You have the right to question any information we hold about you that you think is wrong or incomplete. Please contact the DPO if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it.
Telling us if you want us to stop using your personal data
You have the right to:
- Object to our use of your personal data (known as the right to object); or
- Ask us to delete the personal data (known as the right to erasure); or
- Request the restriction of processing.
- There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.
Withdrawing consent
You can withdraw your consent to us using your personal data at any time. Please contact the Data Protection Officer if you want to withdraw your consent. If you withdraw your consent, we may not be able to provide you with our services to you.
Copyright Notice
Content of our website CGB-associates.com is copyrighted. All content and information provided on this website is not to be copied or reproduced without our prior written permission. A single copy may be downloaded or printed for non-commercial purposes.
Disclaimer
The information and data published on this website is strictly for informational purposes. The information provided is not a substitute for professional advice and you are recommended to obtain specific professional advice before you take any action. By using this site, you agree that we cannot be held responsible – directly or indirectly, in full or in part – for any loss as a result of acting or refraining from action as a result of the information published on this website.
Cookies and third party website links
Our website may include links to third party websites, cookies, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
While we have made every effort to ensure that the information contained in this website has been obtained from reliable sources, C & GB Associates are not responsible for any errors or omissions, or for the results obtained from the use of this information. We do not accept any liability for the content of any third party website accessed through this website, or approve the contents of any such site.
By using the information on this website in any capacity, you agree that it is your sole responsibility to do your own due diligence in order to protect yourself prior to using any third-party product, service or advice.
June 2018