Privacy Policy
We are committed to protecting the privacy of users of our website. Our Privacy Policy sets out the policies and practices we have implemented to protect your personal data and comply with GDPR (General Data Protection Regulation).
By visiting our website you are accepting and consenting to the practices described in this policy.
Personal data we may collect from you
Data you provide us with – You may give us personal data about yourself when you complete the contact form on our website or correspond with us by telephone, email, social media or post. The personal data you give us may include your name, address, email address, telephone number, financial and credit card information.
Why we collect this personal data for you
For contractual reasons – to carry out our obligations arising from any contracts entered into between ourselves and you and to provide you with the information, products and services that you request from us.
For consensual reasons – we only keep your personal data if, after sending you this Privacy Policy, you have agreed to us keeping and using your personal data. On the majority of occassions, we will have kept your personal data to provide you with other useful information about other services we offer that are similar to those that you have already purchased or enquired about. For example, if you have consented, we will use your email address to send you our newsletter providing you with information on tips and latest offers that we believe you will benefit from. Please note that if you provide us with your business card, for example at a networking event, this is implied consent that you wish our business to contact you. You can withdraw this consent at any time ( see the “Your rights” section below.
To notify you about changes to our service – our services and practices may change over the course of us having your personal data. If you have consented, we will use your email address to inform you of any changes we believe will affect you or the service you receive from us.
How we collect your personal data
We do not purchase data from third parties such as databases of email addresses and telephone numbers for the purposes of marketing. We receive personal data from the information you provide us with via the completion of our online forms on our website or from correspondence via the phone, email, social media or post with our staff.
How long we keep your personal data
To comply with the GDPR Data Protection Principle 5, we do not keep personal data for longer than is necessary for the purpose we obtained it for. For example, if you filled out a form on our website or enquired about our services and requested a quote but you did not go on to use or services then we will permanently delete your personal data from all our systems and devices after 12 months. You are welcome to make a request for us to delete your personal data at any time (see “Your rights” below).
How we keep your personal data safe
Unfortunately, the transmission of information via the internet is not completely secure. However, we take the following steps to ensure the tightest security:
- All information you provide to us is stored on our secure servers.
- Any payment transactions will be encrypted using SSL technology.
- Only the necessary personnel have access to your personal data, to minimise risk.
- Our premises which house our PCs, hard drives and USBs, which can be used to access your Personal Data, are locked overnight and kept secure with appropriate security alarms and measures.
- We use strong, randomly generated passwords, which are changed regularly.
- We also use two-factor authentication, where a user requires two pieces of information to access personal data we hold. These steps help to keep your personal data that we hold in Cloud-based services, such as our CRM and shared folders such as DropBox, as secure as possible.
Data breaches
In the unfortunate and very rare event of a data breach that poses a risk to you, we will inform the Information Commissioner’s Office (ICO) and yourself without due delay. Where possible this will be within 72 hours of the breach to comply with the GDPR. This will give you an opportunity to try and take steps to protect your position, for example, enable you to change passwords and inform your banks that you may be at risk of identity fraud. We are exempt from informing you and the ICO of any data breaches if:
- Appropriate technical and organisational procedural measures were applied after a data breach.
- Subsequent measures were taken to ensure that the high risk no longer exists.
- The effort to make such a notification would be disproportionate to the risk posed by the breach. This applies when the number of people affected by the data breach is so vast that notifying people on an individual basis within the required 72 hour period is not feasible. For example if millions of people are affected by the data breach then a press release would be put in the media in place of individual notification to quickly inform everybody affected. This would then be followed up with notifications informing individuals affected but would not have to be within the 72 hour period.
Our business would cooperated and work with the ICO in the majority of cases where the data breach is large scale.
Sharing your personal information
We will only supply your personal data with our business partners or suppliers if it is outlined in the written contract we have with you, necessary for us to fulfil our contractual obligations to you and if we have your explicit consent. We may disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in the event that we sell or buy any business assets. In this case we may have to disclose your personal data to the prospective seller or buyer of those business assets. In order to provide services to you, we may be required to pass your personal information to parties located outside of the European Economic Area (EEA) in countries that do not have Data Protection Laws equivalent to those in the UK. Where this is the case we will take reasonable steps to ensure the privacy of your information is maintained.
Your rights
Under GDPR you have the right to:
- be informed about the collection and use of your personal data
- have access to personal data about you
- have data about you deleted
- have information about you corrected
- object to or restrict the processing of data about you
- data portability to allow you to obtain and reuse your personal data for your own purposes, across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without affecting its usability.
Rights related to automated individual decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about you).
You can request human intervention or challenge the decisions of automated decision making and profiling.
Due to our business’ compliance with GDPR we ensure:
- once we have verified your identity, we respond to and resolve all Subject Access Requests we receive from you regarding your personal data within the 30 day time limit of you making the request as outlined under GDPR.
- we do not charge any fees for making a Subject Access Request or for us resolving your request.
- we send you the information you need to resolve your Subject Access Request in the format that you made the request in, eg. if you emailed us to make your Subject Access Request then we will send you the required information by email.
- if we are unable to comply with your Subject Access Request we will always justify why this is the case. Eg. if you are enquiring about personal information we had about you but have since deleted due to our 12 month data retention period policy (see above) we will inform you of this.
If Subject Access Requests made by you are deemed to be excessive or unfounded we reserve the right granted to us under GDPR to:
- refuse to provide you with the information, always justifying in writing the reasons behind our refusal.
- charge a reasonable admin fee, always justifying in writing the reason for any fees.
If your Subject Access Request is particularly complex, eg., where we have to go through a large amount of data to access the information needed to resolve your Subject Access Request then we will write to you within 30 days of you making the request to inform you why it will take us longer to comply with your Subject Access Request. Under GDPR, if we follow these steps, we will have a further 2 months to comply with your Subject Access Request.
Erasing the personal date we have about you
We will erase any personal date we have about you when you withdraw your consent to us having that data (which you can do at any time), where having the data is no longer necessary and where we can find no legitimate interest for processing the data any longer. If at any time you wish to withdraw consent for us, or any company associated with us, to process your personal data please contact Ms Gillian Calvert using the following details:
- Telephone – 01204 275264
- Email – gill@wrenaccounting.co.uk
- Post – Wren Accounting Services Limited, Outer Space Business Centre, Stone Hill Road, Farnworth, Bolton, BL4 9TP
Reserving the rights granted to us under GDPR and demonstrating our compliance, we will only refuse to erase you data if:
- we need your personal data in order to comply with European Union Member State legal obligations.
- we require your personal data for the establishment, exercise or defence of legal claims.
- your personal data is necessary for us to perform a public interest task or exercise official authority.
- we need your personal data for public health reasons.
- we require your personal data for archival research or statistical purposes.
- your personal data is necessary for us to exercise our right to freedom of expression or information.
In the majority of cases we will be able to delete the personal data we hold about you if you request us to do so. Where we can not do so we will always provide you with the justification as to why we can not comply with your request in writing.