Data Protection Act 2018 and EU General Data Protection Regulation (GDPR)
We may obtain, use, process and disclose personal data about you in order that we may discharge the services agreed under this engagement letter, and for other related purposes including updating and enhancing client records, analysis for management purposes and statutory returns, crime prevention, legal and regulatory compliance. We confirm when processing data on your behalf that we will comply with the relevant provisions of all relevant data protection legislations and regulations.
You are also an independent controller responsible for complying with data protection legislation and regulation in respect of the personal data you process and, accordingly where you disclose personal data to us you confirm that such disclosure is fair and lawful and otherwise does not contravene relevant requirements. Nothing within this engagement letter relieves you as a data controller of your own direct responsibilities and liabilities under data protection legislation and regulation.
Our privacy notice, as set out in Appendix 2 to this letter, explains how we process your personal data in respect to various services that we provide.
Together, you the client and us acting as the Accountants shall both ensure that we comply at all times with Data Protection Clauses as set out below:
- We comply with our obligations where applicable as Controllers, Joint Controllers and Processors under GDPR and other relevant data protection law.
- We shall each implement all appropriate technical and organisational security measures which will ensure against unauthorised access, unlawful alteration, accidental loss and damage to client data. These procedures will also safeguard against unlawful disclosure, unlawful destruction and unauthorised processing of data.
- We shall assist each other to ensure our compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to both parties.
As Accountants, we shall:
- take into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising a Data Subject’s rights laid down under GDPR.
- process your data only on documented instructions from you and as set out in this letter, unless required to do so by law;
- ensure that persons authorised to process your data by us have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- at your choice, delete or return all your data to you after the end of the engagement, and delete existing copies unless required by law to retain the client data. In this regard, the client acknowledges that we are required by law to retain most client data for a period of seven years.
- make available to you all information necessary to demonstrate compliance with the obligations laid down in these Data Protection Clauses and, upon at least 30 days prior written notice from you, allow for and contribute to audits, including inspections, conducted by you or another agent mandated by you, no more than once per calendar year, for the sole purpose of assessing our compliance with these Data Protection Clauses. The cost of any such audit shall be borne by you.
- with regard to your data, be solely responsible for providing all Data Subjects with the information required by Articles 13 and 14 of the GDPR, on behalf of us and yourself, as required for us to process your data in accordance with GDPR.
- with regard to your data, be solely responsible for responding to requests for exercising a Data Subject’s rights laid down under GDPR.
- indemnify us, without limit or exclusion, against any damages incurred by the Firm arising from or in connection with:
- any breach by you of your obligations under these Data Protection Clauses; and/or
- any act or omission from you or your officer, employee, contractor or agent which cause us to breach any of the obligations under GDPR or other applicable data protection law.
- You hereby authorise us to engage sub-processors for the processing of your data. We shall inform you of any intended changes concerning the addition or replacement of sub-processors and give you the opportunity to object to such changes. Where we engage a sub-processor with your consent for the processing of your data, we shall ensure that the sub-processor is subject to the same obligations which we have under these Data Protection Clauses, pursuant to a written contract (if applicable).
Who We Are
Gilroy Gannon Chartered Accountants gather and process your personal information in accordance with this privacy statement and in compliance with the relevant data protection Regulation and laws. This statement provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
Gilroy Gannon Chartered Accountants’ registered office is at 25 Stephen Street, Sligo, Ireland and is a partnership registered in Ireland. We are registered on the Data Protection Commissioner’s Office and act as the data controller & data processor when processing your data.
Information That We Collect
Gilroy Gannon Chartered Accountants processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this statement.
The personal data that we collect from you is: –
- Date of Birth
- Home Address
- Personal Email
- Business Email
- Home Telephone Number
- Mobile Telephone Number
- National Insurance Number
- Passport Number
- Driver’s License Number
- Special Category Data (i.e. health/medical information for corporate or personal financial planning only)
We collect information in the below ways: –
Client outreach, online contact forms, telephone contact & employment CVs.
How We Use Your Personal Data (Legal Basis for Processing)
Gilroy Gannon Chartered Accountants takes your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this statement. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time.
The purposes and reasons for processing your personal data are detailed below: –
- We collect your personal data in the performance of a contract to provide a service
- We collect and store your personal data as part of our legal obligation for business accounting and tax purposes
- We will occasionally send you marketing information where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests
You have the right to access any personal information that Gilroy Gannon Chartered Accountants process about you and to request information about: –
- What personal data we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from you, information about the source
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.
Sharing and Disclosing Your Personal Information
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this statement or where there is a legal requirement. Gilroy Gannon Chartered Accountants uses third-parties to provide the below services and business functions; however, all processors acting on our behalf only process your data in accordance with instructions from us and comply fully with this privacy statement, the data protection laws and any other appropriate confidentiality and security measures.
We use Microsoft Ireland’s Office 365 software platform for the provision of ‘Exchange Communications Services’ such as email and instant messaging.
Gilroy Gannon Chartered Accountants takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including: –
SSL, TLS, encryptions, restricted access, IT authentication, firewalls, anti-virus/malware software filtering.
Transfers Outside the EU
Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. Gilroy Gannon Chartered Accountants does not transfer or store any personal data outside the EU.
Consequences of Not Providing Your Data
You are not obligated to provide your personal information to Gilroy Gannon Chartered Accountants, however, as this information is required for us to provide you with our services, we will not be able to offer some/all our services without it.
How Long We Keep Your Data
Gilroy Gannon Chartered Accountants only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under Irish tax law to keep your basic personal data (name, address, contact details) for a minimum of 7 years after which time it will be destroyed.
Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.
Special Categories Data
Owing to the products, services or treatments that we offer, Gilroy Gannon Chartered Accountants sometimes needs to process sensitive personal information (known as special category data) about you (e.g. trade union membership & health data). Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so.
Where we rely on your consent for processing special category data, we will obtain your explicit consent through explicit mechanism. You can modify or withdraw consent at any time, which we will act on immediately, unless there is a legitimate or legal reason for not doing so.
Gilroy Gannon Chartered Accountants will occasionally send you information about products, services or promotions by email, SMS or post that have been identified as being beneficial to our customers and in our interests. Such information will be relevant to you as a customer and is non-intrusive and you will always have the option to opt-out/unsubscribe at any time.
Lodging A Complaint
Gilroy Gannon Chartered Accountants only processes your personal information in compliance with this privacy statement and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority. In Ireland that authority is the Office of the Data Protection Commissioner.