Grieve & Lombard LTD, as a data controller within the meaning of the GDPR, processes personal/group company data in accordance with the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). Our firm is committed to fulfilling our legal obligations concerning the processing of personal/group company data, ensuring the protection and proper use of such data.

Our contact details are as follows:

Contact details: info@grievelombard.co.uk, 13 Hanover Square, London W1S 1HN, UK
Data Protection Officer and firm’s representative: Lester Lombard, mobile number +447769065600, email lester@grievelombard.co.uk

We reserve the right to amend this privacy notice as necessary. Should any changes occur, we will provide you with a new copy of the privacy notice or make it available to you.

In instances where we act as a data processor on behalf of a data controller, such as when processing payroll, an additional schedule with the required information is provided as part of that agreement. This schedule is to be read in conjunction with this privacy notice.

Please note that the DPA 2018 and GDPR impose specific legal obligations on the processing of personal/group company data, and we are dedicated to upholding these requirements to maintain the trust and confidence of our clients and partners.

1.2 The purposes for which we intend to process personal/group company data

Grieve & Lombard LTD processes personal/group company data with the intent to:

Provide professional services to our clients.
Fulfil our legal obligations under laws in force, such as the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
Comply with our professional obligations as a member of the Association of Chartered Certified Accountants (ACCA).
Invoice clients for services rendered.

This processing is essential for the effective delivery of our services and ensures compliance with our legal and professional responsibilities.

1.3 The legal basis for our intended processing of personal/group company data

The legal basis for processing personal/group company data at Grieve & Lombard LTD is founded on the following principles:

Consent: At the time of instruction, consent was given for processing personal/group company data for the purposes outlined.
Contract Performance: Processing is necessary for the performance of our contract with you.
Legal Compliance: Processing is necessary for compliance with legal obligations (e.g., MLR 2017).

It is a contractual requirement that you provide the personal/group company data requested. Without this information, we may be unable to deliver professional services. If we cannot commence acting or need to cease to act due to a lack of information, we will notify you accordingly.

1.4 Disclosure of Personal/group company data

Grieve & Lombard LTD may share personal/group company data with entities such as Companies House, charity regulators, HMRC, third parties with whom you permit us to correspond, subcontractors, an alternate in the event of our incapacity or death, professional indemnity insurers, and our professional body ACCA and/or OPBAS in relation to practice assurance and/or MLR 2017 requirements.

Additionally, if legally permitted or required, we may share personal/group company data with the police, law enforcement agencies, courts, tribunals, and the ICO.

Such sharing is necessary to comply with our legal obligations, including those to you. Should you request that we do not share your data with these third parties, it may necessitate us ceasing to act on your behalf

1.5 Transfers of personal/group company data outside the European Economic Area (EEA)

Grieve & Lombard LTD acknowledges that personal/group company data may be accessible through our OneDrive shared cloud storage from our overseas operations outside the European Economic Area (EEA). We ensure that all data transfers comply with the GDPR and are protected by appropriate safeguards, including standard data protection clauses approved by the European Commission, to maintain the level of data protection required within the EEA.

1.6 Retention of personal/group company data

Grieve & Lombard LTD adheres to recognized good practice within the tax and accountancy sector for retaining records relating to clients. The retention periods are as follows:

Tax Returns: Information is retained for ten years from the end of the tax year to which the information relates.
Ad Hoc Advisory Work: Information is retained for ten years from when the business relationship ceased.
Ongoing Client Relationship: Data needed for more than one year’s tax compliance, such as capital gains base costs and claims and elections submitted to HMRC, is retained throughout the period of the relationship and deleted seven years after the end of the business relationship unless the client requests a longer retention period.

Our contractual terms include the destruction of documents as stated above, and agreement to these terms is taken as consent to the retention and subsequent destruction of records after the specified period.

Clients are responsible for retaining information we send, including details of capital gains base costs and claims and elections submitted, in the agreed-upon form. The law requires individuals, trustees, partnerships, companies, LLPs, and other corporate entities to retain documents and records relevant to tax affairs for specific periods.

Where we act as a data processor, as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed upon at the termination of the contract.

1.7 Requesting personal/group company’s data we hold about you (subject access requests)

You have a right to request access to the personal data that we hold. Such requests are known as ‘subject access requests (SARs).

Please provide all SARs in writing marked for the attention of Lester Lombard.

To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:

your date of birth
previous or other name(s) you have used
your previous addresses in the past five years
personal reference number(s) that we may have given you, for example, your national insurance number, your tax reference number or your VAT registration number
what type of information do you want to know?

If you do not have a national insurance number, you must send a copy of the following:

the back page of your passport or a copy of your driving licence and
a recent utility bill.

DPA 2018 requires that we comply with a SAR promptly and, in any event, within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).

We will not charge you for dealing with a SAR.

You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter that states that you authorise the person concerned to write to us for information about you and/or receive our reply.

Where you are a data controller, and we act for you as a data processor (e.g. by processing payroll), we will assist you with SARs on the same basis as is set out above.

1.8 Putting things right (the right to rectification)

You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed. Should you become aware that any personal data we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.

Grieve & Lombard LTD acknowledges your right to have any inaccurate personal data that we hold about you corrected. You also have the right to complete any incomplete personal data. If you discover that any personal data we hold about you is inaccurate or incomplete, please contact us immediately at info@grievelombard.co.uk or reach out to our Data Protection Officer, Lester Lombard, at lester@grievelombard.co.uk or +447769065600. We will promptly correct or complete your data as requested.

1.9 Deleting your records (the right to erasure)

You have the right, under certain circumstances, to request the erasure of your personal data that Grieve & Lombard LTD holds. Detailed information on this right is available on the ICO website (www.ico.org.uk). Should you wish to have your personal data erased, please contact us without delay, and we will assess your request. There are specific situations where we may have grounds to refuse such a request, but if that is the case, we will provide you with the reasons for our decision.

1.10 The right to restrict processing and the right to object

Under certain circumstances, you have the right to restrict the processing of your personal data or to object to the processing of your data. Detailed information on these rights is available on the ICO website (www.ico.org.uk). If you wish to exercise these rights and want us to stop processing your information, or if you have objections to how we handle your data, please inform us immediately. We will consider your request and take appropriate action in accordance with legal requirements.

1.11 Obtaining and reusing personal/group company data (the right to data portability)

You have the right, under certain circumstances, to receive the personal data that Grieve & Lombard LTD holds about you in a machine-readable format, which can be used to transfer your data to a new professional adviser. This right is detailed on the ICO website (www.ico.org.uk).

The right to data portability applies when:

The data is provided by the individual to the controller.
The processing is based on the individual’s consent or for the performance of a contract.
The processing is carried out by automated means.

We will address any requests for data portability promptly and within one month. If the request is complex or we receive multiple requests, we may extend this period by two additional months. If an extension is necessary, we will inform you within one month of receiving the request and explain the reasons for the delay.

1.12 Withdrawal of consent

If you have provided consent for the processing of your personal data, you have the right to withdraw that consent at any time. If you wish to withdraw your consent, please notify us immediately.

Please be aware:

Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
If you withdraw consent, it may affect our ability to provide certain services to you.
We may still process your data lawfully on other grounds even after you withdraw consent, for example, if we have a legal obligation to do so.

1.13 Automated decision-making

Grieve & Lombard LTD does not use automated decision-making processes, including profiling, when processing your personal data. We believe in personal attention and the nuanced judgment of our experienced professionals to make decisions that affect our clients.

1.14 Complaints

If you are not satisfied with the response to your request for information we hold about you, or if you believe we are not complying with GDPR or DPA 2018, you are encouraged to contact us with your concerns. Please direct any complaints to info@grievelombard.co.uk.

Should you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (www.ico.org.uk).

Privacy Policy

Contents

1. Online Privacy Notice

1.1 Introduction