Privacy Policy
Introduction
1. The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) impose certain legal obligations in connection with the processing of personal data.
2. Valecrest Private Tax is a data controller and processes personal data. The contact details for these purposes are as follows: Jihao Zhang at Valecrest Private Tax; mobile: 0044 7930 607 724; email: jzhang@valecrestprivatetax.com
3. We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.
4. Where we act as a data processor on behalf of a data controller (for example, when processing payroll for you as part of our services), we will provide an additional schedule setting out the required information. That additional schedule should be read in conjunction with this privacy notice.
The purposes for which we intend to process personal data
5. We intend to process personal data for the following purposes:
1) to enable us to supply professional services to you as our client;
2) to fulfil our obligations under laws and regulations in force from time to time, including anti-money laundering legislation, sanctions requirements and other regulatory obligations;
3) to comply with professional obligations to which we are subject as members of the Chartered Institute of Taxation;
4) to verify your identity, carry out client due diligence, and undertake fraud prevention and risk management checks, including electronic verification where appropriate;
5) to use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings;
6) to enable us to invoice you for our services and investigate or address any attendant fee disputes that may arise;
7) to contact you about other services we may provide which may be of interest to you, where you have consented to us doing so;
The legal bases for our intended processing of personal data
6. Our intended processing of personal data has the following legal bases:
1) where required, you have given consent to our processing your personal data for one or more of the purposes listed above;
2) the processing is necessary for the performance of our contract with you;
3) the processing is necessary for compliance with legal obligations to which we are subject (for example, anti-money laundering, sanctions, tax and regulatory requirements);
4) the processing is necessary for the purposes of the following legitimate interests which we pursue:
a) to comply with professional obligations to which we are subject as members of the Chartered Institute of Taxation;
b) to administer and manage our practice efficiently, including record keeping, internal administration and business continuity arrangements;
c) to use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings;
d) to enable us to invoice you for our services and investigate or address any attendant fee disputes that may arise.
7. It is a requirement of our contract with you that you provide us with the personal data that we reasonably request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.
Categories of personal data collected
8. The categories of personal data collected may include the following:
1) identification and contact details, such as your name, address, email address, telephone number and date of birth;
2) national insurance number, unique taxpayer reference and other tax reference numbers;
3) employment, self-employment, pension, investment, rental and other income information relevant to your tax affairs;
4) bank account details and financial information relevant to tax compliance, tax repayments or advice;
5) copies of identification documents and information obtained through electronic identity verification, sanctions or PEP screening where required;
6) personal tax data, correspondence, records of instructions, and supporting documents you provide to us;
7) payroll, accounting or business records where relevant to the services we provide to you.
Source of personal data collected
9. In providing our services to you, it may be necessary for us to process personal data obtained from you and from third parties, including:
1) your spouse, partner, children, other relatives or other individuals pertinent to our advice or services to you, where their information is relevant to your tax affairs or to advice requested by you (each a “Connected Person”);
2) your employer, pension payer, business, partnership, LLP or company, where relevant;
3) banks, building societies, investment managers, pension providers and other financial institutions;
4) HMRC and, where relevant, other government departments, regulators or publicly available registers;
5) electronic identity verification providers and other AML/compliance screening providers;
6) software providers or online platforms where you authorise access to your records or information;
7) previous professional advisers acting on your behalf;
8) other third parties acting on your behalf or providing information or documents relevant to the services we supply.
9) ID Verifiers for compliance purposes;
10) Previous professionals who act on your behalf.
Persons/organisations to whom we may give personal data
10. We may share your personal data (and, where relevant, the personal data of any Connected Person) with:
1) HMRC;
2) any third parties with whom you require or permit us to correspond;
3) subcontractors and service providers (including, for example, IT, cloud, document management, legal and other professional advisers engaged by us in relation to the services we supply to you);
4) an alternate appointed by us in the event of incapacity or death;
5) tax insurance providers;
6) professional indemnity insurers;
7) our professional body, the Chartered Institute of Taxation, and/or the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS) in relation to practice assurance and/or the requirements of anti-money laundering legislation (or similar legislation);
8) your employer or payroll provider where this is relevant to any payroll service we provide.
11. If the law allows or requires us to do so, we may share your personal data with:
1) the police and law enforcement agencies;
2) courts and tribunals;
3) the Information Commissioner’s Office (ICO);
4) other regulators or supervisory authorities where disclosure is required or appropriate.
12. We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties, we may need to cease to act.
13. If you provide us with personal data about individuals other than yourself, you should ensure that those individuals have been provided with appropriate fair processing information, including a copy of this privacy notice where appropriate, and that you are entitled to provide that information to us so that we may process it for the purposes of this engagement.
Transfers of personal data outside the UK
14. We mainly process your personal data in the UK. However, some third-party service providers or support arrangements used in connection with our services may involve processing or access outside the UK.
15. Where personal data is transferred outside the UK, we will take reasonable steps to ensure that the transfer is compliant with applicable data protection law and that appropriate safeguards are in place.
16. Depending on the service and systems used, this may include reliance on adequacy regulations, approved contractual safeguards, or other lawful transfer mechanisms.
17. We limit access to personal information about you to those who reasonably need that information in order to provide services to you or to meet legal, regulatory or administrative requirements.
18. If you ask us not to use a particular supplier or transfer mechanism and we cannot reasonably accommodate that request, either you or we may need to reconsider the scope of services or terminate the relevant part of the engagement.
19. The categories of third-party systems and providers that may have access to your information include:
1) HM Revenue & Customs;
2) cloud-based storage, email, document management and practice management systems used by us in providing services;
3) electronic identity verification and compliance screening providers;
4) professional advisers or specialist subcontractors engaged in relation to your affairs where appropriate.
Retention of personal data
20. When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector, we will retain records relating to you as follows:
1) where tax returns have been prepared, it is our policy to retain information for 7 years from the end of the tax year to which the information relates;
2) where ad hoc advisory work has been undertaken, it is our policy to retain information for 7 years from the date the business relationship ceased;
3) where we have an ongoing client relationship, data needed for more than one year’s tax compliance (for example, capital gains base costs and claims and elections submitted to HMRC) is retained throughout the period of the relationship, but will normally be deleted 7 years after the end of the business relationship unless you ask us to retain it for longer;
21. Our contractual terms provide for the destruction of documents after 7 years and agreement to the contractual terms is taken as agreement to the retention of records for this period and to their destruction thereafter, subject to any legal or regulatory requirement to retain them for longer.
22. You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us. Documents and records relevant to your tax affairs are required by law to be retained by you as follows:
1) if you have trading or rental income, for 5 years and 10 months after the end of the tax year;
2) otherwise, for 22 months after the end of the tax year.
23. Where we act as a data processor as defined in applicable data protection legislation, we will delete or return personal data to the data controller as agreed with that controller at the end of the relevant engagement, save that we may retain such information as is required for audit, regulatory, insurance, legal or other lawful purposes.
Requesting personal data we hold about you (subject access requests)
24. You have a right to request access to the personal data that we hold about you. Such requests are known as subject access requests (SARs).
25. Please provide all SARs in writing marked for the attention of Jihao Zhang (whose contact details are set out in paragraph 2 above).
26. To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:
1) your date of birth;
2) previous or other name(s) you have used;
3) your previous addresses in the past five years;
4) personal reference number(s) that we may have given you, for example your national insurance number, your tax reference number or your VAT registration number; and
5) what type of information you want to know.
27. If you do not have a national insurance number, you must send a copy of:
1) the back page of your passport or a copy of your driving licence; and
2) a recent utility bill.
28. Data protection law requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (for example, if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).
29. We will not charge you for dealing with a SAR unless we are permitted to do so by law.
30. You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.
31. Where you are a data controller and we act for you as a data processor (for example, by processing payroll), we will use reasonable endeavours to assist you with SARs on the same basis as set out above.
Putting things right (the right to rectification)
32. You have a right to obtain the rectification of inaccurate personal data concerning you that we hold. You also have a right to have incomplete personal data that we hold about you completed. Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so that we can correct and/or complete it. Please contact Jihao Zhang (whose contact details are set out in paragraph 2 above) if you wish to exercise this right.
Deleting your records (the right to erasure)
33. In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website. If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request. Please contact Jihao Zhang (whose contact details are set out in paragraph 2 above) if you wish to exercise this right.
The right to restrict processing and the right to object
34. In certain circumstances you have the right to block or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website. Please inform us immediately if you want us to cease processing your information or you object to processing so that we can consider what action, if any, is appropriate. Please contact Jihao Zhang (whose contact details are set out in paragraph 2 above) if you wish to exercise this right.
Obtaining and reusing personal data (the right to data portability)
35. In certain circumstances you have the right to be provided with the personal data that we hold about you in a machine-readable format, for example so that the data can easily be provided to a new professional adviser. Further information is available on the ICO website.
36. The right to data portability only applies:
1) to personal data an individual has provided to a controller;
2) where the processing is based on the individual’s consent or for the performance of a contract; and
3) when processing is carried out by automated means.
37. We will respond to any data portability requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received and explain why the extension is necessary.
38. Please contact Jihao Zhang (whose contact details are set out in paragraph 2 above) if you wish to exercise this right with regard to the personal data that we hold about you.
Withdrawal of consent
39. Where any part of our processing of the personal data that you have provided to us is based on your consent, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent. Please contact Jihao Zhang (whose contact details are set out in paragraph 2 above) if you wish to exercise this right.
40. Please note:
1) the withdrawal of consent does not affect the lawfulness of earlier processing;
2) if you withdraw your consent, we may not be able to continue to provide services to you; and
3) even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (for example, because we have a legal obligation to continue to process your data).
Automated decision-making
41. We do not intend to use automated decision-making in relation to your personal data.
Complaints
42. If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with applicable data protection law in some other way, you can complain to us. Please send any complaints to Jihao Zhang (whose contact details are set out in paragraph 2 above).
43. If you are not happy with our response, you have a right to lodge a complaint with the ICO, which is the supervisory authority for data protection matters in the UK.