The new General Data Protection Regulation (GDPR) becomes effective on 25th May 2018, and all organisations that process personal data must ensure to be compliant with the regulations and principles.
We must make sure that:
- We are lawful, fair and transparent in the way that data is processed
- Personal data is used for a specific purpose
- We only record the data that is required
- Have a duty to keep the data accurate
- Data is only kept for as long as is required
- All data is stored securely
This Privacy Notice will detail how we comply with the above principles as well as your rights as the data owner.
Sedulo is a Financial Services Company based in the North of England and London. We specialise in providing Accountancy and Tax Advisory services along with Payroll, Funding and Wealth Management. Our company names are “Sedulo Manchester” “Sedulo Funding”, “Sedulo Leeds” and “Sedulo Wealth Management”.
Personal data refers to any data that can be used to identify a natural person and we only process personal information that is required for us to carry out our business dealings for the customer.
Depending on your relationship with us and the services we are providing, we may collect a combination of the information detailed below (please note this list is not exhaustive):
- Company address
- Personal address
- NI number
- Date of birth
- Bank account information
- Personal/sales invoices
- Copies of ID
- Contact number
- Email address
- Job titles
- Salary details
- Student loan information
- Marital status
- Criminal record information
- Personal Assets and liabilities
We process relevant and required information regarding your company and employees to accurately provide services to you. The types of information listed above will only be obtained if it is directly applicable to your situation and services requested from us. To enquire about any personal information we may retain about yourself, you can email us at firstname.lastname@example.org.
To ensure smooth business running, we hold a small amount of supplier information. This information will be held identifying contact individuals within your business, including but not limited to:
- Contact name
- Business address
- Contact number
- Email address
- Bank details or other preferred method for payment to compensate services rendered for a reasonable time after the transaction. This may include but is not limited to; invoices, contracts and emails regarding details of services used by Sedulo.
The data we hold is legitimately gained either through direct contact with the customer to ensure accurate and relevant information is given with full consent of the individual or company or through a 3rd party. For any 3rd parties that we use to gather information (such as lead generation) we ensure to only use GDPR compliant companies and will not hold any data that has not been scrutinised as such. This way we collect data include but are not limited to:
- Receiving calls from yourself in relation to any services within your business.
- Conducting any relevant service for your business.
- Team members contacting you by means of business development activity.
- Attending business networking events with clients.
- When you have been identified as a reference provider.
- When a purchase has been made.
- Information provided on your invoice, contract or email
We hope you will agree that we have your best interests at heart when you provide your data and we will ensure your data is kept safe. GDPR states that we are required to let you know under which legal basis your data is processed. We are using Legitimate Interest as our legal basis for processing.
Legitimate Interest – Article 6(1)(f) details:
“processing is necessary for the purpose of the legitimate interest pursued by the controller or by the third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”
We want to make sure that we provide you with the best possible service so we hold data on you and contacts within your business that we may need to speak to. In addition, we also log details of conversations, emails sent and received, meetings and other business communication.
In order to ensure prompt payment for services you have provided we will need to hold certain information on you and your business so that payments can be made within the required timescales.
For all the above we feel this data is necessary for our legitimate interest as Financial Services Business to provide a comprehensive service to our clients and employees.
Our core business activity is to provide clients with financial advice and accountancy services. To accomplish this, we gather personal information regarding the contact at the business including; full name, position within business, email address, phone contact details and other information freely given by the contact.
In order to provide the best service to clients, your data may be used in one or more of the following ways:
- Storing and updating your information on our client system so that we can contact you in relation to business activity.
- Make contact in relation to business activity, either by email, telephone or in person.
- Marketing information about events we are holding that may be of interest to you.
- Marketing information in relation to the services we can provide.
- Keeping records of conversations, emails and meetings to refer to if needed in relation to any dispute.
For some of the above activities your consent is required and for more information on how we get and manage your consent please refer to section 11 in this document.
In some circumstances, we may need to share your details with a 3rd party for us to be able to provide you with our services. This would include:
- Companies House
- Pension providers
- Legal entities upon court request
- Mortgage providers
- Letting agencies
Your data is of the utmost importance to us and as such we ensure all relevant security is in place to keep your data safe and protected from any potential threats.
For more information on how we do this, please refer to our Data Protection Policy.
However, if you think we have not taken care of your data or if it has been misused, our contact information can be found at the end of this document
We retain your information as long as the information is required and pertinent. This would either fall under our legitimate business interest of an on-going business relationship or for legal obligations.
The following information has a legal requirement to be kept for a predetermined amount of time, regardless of active services retained with us:
- HMRC records – 6 years
- Payroll information – 7 years
- Accounts information – 7 years
- Pension transfer – 7 years
- Final salary pension transfer – kept indefinitely
GDPR provides the following rights.
The Right to be Informed
You have the right to be informed about the collection and use of your personal data and you must be provided with certain information including; the purpose for processing your personal data, our retention periods for the data and who it will be shared with. All this information is provided by means of this Privacy Notice.
The Right of Access
You have the right to access your personal data and any supplementary information. This is known as a Data Subject Access Request (DSAR) and when received by our designated Data Controller, we are legally required to provide this information within one month. This information will be provided free of charge unless we feel the request is manifestly unfounded or excessive, particularly if it is repetitive. A fee may also be charged if further copies of the same information are requested.
The Right to Rectification
You have the right to have any inaccurate personal data rectified if incomplete or incorrect. You can request this to be done verbally or in writing and we have one calendar month to respond once this has been passed to the designated Data Controller. There is no fee attached to this request however, if we feel the request is manifestly unfounded or excessive, particularly if it is repetitive – we can charge a fee or refuse the request. If either of these apply, we will provide you with our reasons for such action.
The Right to Erasure
This is also known as the right to be forgotten. You have the right to have your personal data erased if:
- The data is no longer necessary for the reason it was originally collected or processed.
- Your data has been processed for legitimate interest and you object to the processing of your data and we cannot provide an overriding legitimate interest to continue processing.
- The data has been processed unlawfully (in breach of GDPR).
- Data must be erased to comply with a legal obligation.
If we process your data for one of the following reasons, the right to erasure does not apply:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation.
- For the performance of a task carried out in the public interest.
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes.
- In the defence of a claim.
The Right to Restrict Processing
You have the right to restrict the processing of your data in certain circumstances. When processing is restricted we may store enough information to ensure future restriction is respected. We will stop processing data if:
- You do not agree with the accuracy of your personal data.
- The data has been unlawfully processed.
- To establish or defend a legal claim.
- You object to our legal ground for processing your data.
We can only continue to process your data when the above has been resolved and we will inform you before any restriction is lifted. If your data is restricted it can only be retained if:
- You give your consent to processing.
- It is in defence of a legal claim.
- It is for the protection of another person.
- It is for reasons of important public interest.
The Right to Data Portability
You have the right to transfer your details across different services. This right only applies if:
- Data that has been provided to a controller by an individual.
- Processing is based on consent or for the performance of a contract.
- Processing is carried out by automated means.
When we receive a portability request we must respond within one month of the Data Controller being notified and no fee is applicable. We must provide the information in a structured, commonly used and machine-readable form.
The Right to Object
You can object to the processing of your data when it is processed under one of the following reasons:
- Our legitimate interest.
- Performance of a task in the public interest/exercise of official authority.
- Direct marketing.
- Processing for scientific/historical research or statistical purposes.
Within 1 month of notification of this request, we must stop processing your data unless:
- We can demonstrate compelling legitimate grounds for processing which override your interest.
- It is being processed for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing we will ensure your details are either removed or adjusted, in line with your request as promptly as possible. This process can be started by either clicking “unsubscribe” on the marketing email or emailing email@example.com.
If your data has been shared with a third party and you request one of your “rights” listed above we will notify them and act upon the requirements of your request unless this is not possible or involves disproportionate effect.
As a business, and to comply with Article 6 of GDPR, we have agreed that the legal basis for processing your data will be (depending on your relationship with us) either “Legitimate Interest” or “Contract”. As well as complying to the GDPR in relation to direct marketing we must comply by The Privacy and Electronic Communications Regulations (PECR).
However, in certain circumstances, we are required to have your consent to perform certain activities. This consent can be given in the form of an opt-in or soft opt-in option.
We must ensure your consent is; freely given, you understand what you are consenting to and are able to opt-out and back in at any time.
You can opt in or out verbally during any client meeting. If you have opted in and wish to opt out you can click in the link provided in one of our marketing emails or contact us using the methods listed below.
If you need to contact us for any reason regarding your data, our details are:
0333 222 444 5
Please title any post and/or email “In relation to GDPR” to ensure it is passed to the correct person. Emails or calls made to other Sedulo employees outside of these methods may not promptly reach the Data Controller to issue a response.