The Directors of Jaccountancy take ultimate responsibility for data protection.
If you have any concerns or wish to exercise any of your rights under the GDPR, then you can contact the data protection officer in
the following ways:
MLRO : Jay Wilson
ICO Registration ZA532013
Maling Exchange, Hoults Yard, NE6 2HL
0330 122 2280
We are committed to ensuring the protection of the privacy and security of any personal data which we process. By signing this
letter, you confirm that you have read and understood.
‘GDPR’ means the General Data Protection Regulation ((EU) 2016/679); and
‘PECR’ means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).
Depending on the nature of the service, we shall each be considered an independent data processor or controller in relation to the
client’s personal data. For example, if we calculate and submit your personal tax return we are acting as a controller.
If we process
your payroll on behalf of your employees we are acting as a processor. Each of us will comply with all requirements and obligations
applicable to us under the data protection legislation in respect of the client’s personal data.
You shall only disclose employee personal data to us where:
(i) you have provided the necessary information to the relevant data subjects regarding its use and you may use or refer to our
(ii) you have a lawful basis upon which to do so, which, in the absence of any other lawful basis, shall be with the relevant data
subject’s consent; and
(iii) you have complied with the necessary requirements under the data protection legislation to enable you to do so.
Should you require any further details regarding our treatment of personal data, please contact our data protection manager.
We shall only process personal data:
(i) in order to provide our services to you and perform any other obligations in accordance with our engagement with you;
(ii) in order to comply with our legal or regulatory obligations; and
(iii) where it is necessary for the purposes of our legitimate interests and those interests are not overridden by the data subjects’
own privacy rights. Our privacy notice contains further details as to how we may process client personal data.
We shall maintain commercially reasonable and appropriate security measures, including administrative, physical, and technical
safeguards, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or
damage to, the client personal data.
In respect of personal data, if we are legally permitted to do so, we shall promptly notify you in the event that:
(a) we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their
data subject rights under the data protection legislation or in respect of our processing of their personal data;
(b) we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material
communication in respect of our processing of the client personal data from a supervisory authority as defined in the data protection
legislation (for example in the UK, the Information Commissioner’s Officer); or
© we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction,
loss, unauthorised disclosure or alteration of, the client personal data.
Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or
provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the
services provided to you in accordance with our engagement letter with you in relation to those services.
Where we are specifically the data processor, we shall:
a. process personal data only in accordance with your lawful written instructions, in order to provide you with the services pursuant
to our engagement with you and in accordance with applicable data protection legislation;
b. disclose and transfer personal data to third parties for example, service providers as and to the extent necessary in order to
provide you with the services pursuant to our engagement with you in relation to those services;
c. disclose personal data to courts, government agencies and other third parties as and to the extent required by law;
d. maintain written records of our processing activities performed on your behalf which shall include: (i) the categories of processing
activities performed; (ii) details of any on cross border data transfers
outside of the European Economic Area (EEA); and (iii) a general description of security measures implemented in respect of the
client personal data;
e. maintain commercially reasonable and appropriate security measures, including administrative, physical and technical
safeguards, to protect against unauthorised or unlawful processing of any personal data and against accidental loss or destruction
of, or damage to, such personal data.
f. return or delete all the personal data upon the termination of the engagement with you pursuant to which we agreed to provide
the services (we will retain business data for a period after termination to support a smooth handover to incoming advisors and
retain information to support you in your need to retain information for a legally defined period of time);
g. ensure that only those personnel who need to have access to personal data are granted access to it and that all of the person
authorised to process the client personal data are bound by a duty of confidentiality;
h. notify you if we appoint a sub-processor (but only if you have given us your prior written consent, such consent not to be
reasonably withheld or delayed) and ensure any agreement entered into with the relevant sub-processor includes similar terms as
i. where we transfer personal data to a country or territory outside the EEA to do so in accordance with data protection legislation;
j. notify you promptly if:
i. we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their
data subject rights under the data protection legislation or in respect of the client personal data; or
ii. we are served with an information or assessment notice, or receive any other material communication in respect of our
processing of the client personal data from a supervisory body (for example, the Information Commissioner’s Officer);
k. notify you, without undue delay, in the event that we reasonably believe that there has been a personal data breach in respect of
l. maintain complete and accurate records and information to demonstrate our compliance with this Data Protection paragraph and
sub-paragraphs, and allow for audits by you or your designated auditor with reasonable notice, and to immediately inform you if, in
our opinion, an instruction infringes the Data Protection Legislation.
m. Without prejudice, you will ensure that you have all necessary appropriate consents and notices in place to enable the lawful
transfer of the client personal data to us.
n. Should you require any further details regarding our treatment of personal data, please contact Jay Wilson