“Personal Data” is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
Burton Bandini processes personal data in the course of its business and is committed to ensuring that your privacy is protected. We will treat all information held about you in accordance with this policy which is in line with current UK legislation.
This notice applies to:
- All Client’s and respective Data Subjects
- All Third Parties and Suppliers with whom we have dealings in the ordinary course of our business including those individuals with whom we send marketing information
Any reference to ‘we’, ‘us’, ‘our’, ‘the company’ shall mean Burton Bandini Ltd.
About us and our data obligations
Burton Bandini is a “data controller” for the data we collect about our client on engagement, for example, as an accountant and book-keeper to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
Burton Bandini is also a “data processor” in respect of the data that we handle, acting on behalf of a “data controller” to process data under their instruction, such as in the case of our payroll services.
The information we collect
We gather the personal information we need for business purposes in order to provide you with the services you have requested or to comply with our regulatory obligations, as well as appropriate news and information.
We collect and process a range of information about you. This may include:
- Your personal details such as name, address and contact details, including email address and telephone number, as well as personal information like date of birth, where you work, financial information, tax information, family, lifestyle, interests and affiliations information.
- Details of contacts we have had with you in relation to the provision, or the proposed provision of our services;
- details of any services you have received from us and your wishes and criteria in respect of any matter we are helping you with;
- our correspondence and communications with you;
- information about any complaints and enquiries you make of us;
- information from research, surveys and marketing activities;
- Information we receive from other sources, such as publicly available information, information provided by your employer or our clients or information from firms our client instruct us to work with.
16 or Under
Occasionally we will coordinate with local schools to facilitate work experience at Burton Bandini Ltd for children aged under 18 and under 16. As the third party contracted to provide this service to the school, we will never collect any child’s personal data. Our policies and controls are designed to make reasonable efforts to verify that the school or other coordinating body takes full responsibility for processing the child’s personal data and the consent of the parent or guardian for children under 16 and from the child for those aged between 16 and 18.
How we may collect your personal data
Burton Bandini collects this information in a variety of ways. Usually we will have received this directly from you or at the Data Controller’s instruction. It is possible we may also receive personal data about you from others, such as members of your family, business partners and associates, employers, another party to a transaction you are engaged in or other professional advisers. Examples might include:
- You request a quote/proposal from us in respect of the (Book-keeping and accountancy) services we provide;
- You or your employer or our clients engage us to provide our services and also during the provision of those services;
- You contact us by email, telephone, post, our website etc. (for example when you have a query about our services);
- We meet with you.
Burton Bandini also collects personal data about you from third parties and/or publicly available resources, (for example, internet searches, Companies House, credit reference agencies etc.). Data is stored in a range of different places, including in relevant files, and within email and IT systems.
We may also collect information about your usage of our website (please refer to our Cookies Policy).
Purposes of collection
Our use of such personal data is subject to data protection law. We mainly use your personal data to provide you with information or services you have requested. We may also use it for other normal purposes connected with our work. For example we will use your information to update our own business records, complete statutory returns, and otherwise comply with our regulatory obligations.
Generally, we will collect, use and hold your information for the purposes of:
- Assessing applications for and providing Burton Bandini products / services.
- Conducting business, developing relationships with Burton Bandini.
- Process payments / transactions including: Accounting, Authorisation, Clearing, Chargebacks, Auditing, Billing, Reconciliation, Collection, Complaints, Enquiries, Credit Checks and related dispute resolution activities.
- Protect against and prevent fraud, unauthorised transactions, money laundering (please see below), tax evasion, claims, other liabilities and manage risk exposure and agent /franchise quality, integrity, compliance and security of business processes.
- Create and manage any accounts, associated authentication criteria (id’s and passwords) you may have with Burton Bandini.
- Provide, administer and communicate with you about Burton Bandini products, services, offers etc
- Compile business directories, including business contact information.
- Operate, monitor, evaluate and improve our products, services, website and business.
- Evaluate your interest in employment and contact you regarding possible employment opportunities.
- Comply with industry standards and Burton Bandini policies.
We have to comply with regulations like the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (referred to as “the Regulations).”
Burton Bandini is required to obtain certain information from you to comply with these regulations. The information provided will only be used by Burton Bandini in relation to complying with the Regulations and will not be shared with any other party unless we are required to do so by law.
If you decide to enter in to a business relationship with Burton Bandini to comply with certain regulations we will require two forms of identification to be provided for each Company Director together with a signed copy of the T&Cs to confirm that you have read and understood our Terms. The identification documents are needed as proof of ID and proof of residence and the information may be required at various stages of the process.
Basis for processing and use of your data
Burton Bandini needs to process data for purposes necessary for the performance of our contract with you, your employer or our clients and to comply with our legal obligations. This may include processing your personal data where you are an employee, subcontractor, supplier or customer of our client.
Where you enquire about becoming or where you become a client of Burton Bandini, for example, the basis for our processing of your personal data will be to enter into and perform the contract between you and us.
We may process your personal data for the purpose of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data. This includes processing for business development, marketing and management purposes. Therefore, from time to time we may send you information about company news and events we are holding or other matters that we believe will be of interest to you. This could involve us seeking your thoughts and opinions on the services we provide and us notifying you of any changes. The basis for our processing of your personal data this way will be legitimate interest and you will be free to withdraw from these communications at any time.
Other information processed by Burton Bandini as part of its legitimate interests include: network and information security, cloud storage, updating customer details, due diligence involving risk assessment and fraud prevention.
We may also process your personal data for certain additional purposes with your consent, and in these limited circumstances where your consent is required we will seek your clear and unambiguous consent prior to processing your data and you have the right to withdraw your consent to processing for such specific purposes at any time.
Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.
We may use your personal data in order to:
- Carry out our obligations arising from any agreements entered into between you, your employer or our clients and us (which will most usually be for the provision of our services);
- Carry out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision of our services) where you may be a subcontractor, supplier or customer of our client;
- Provide you with information related to our services and our events and activities that you request from us or which we feel may interest you, provided you have consented to be contacted for such purposes;
- Seek your thoughts and opinions on the services we provide; and
- Notify you about any changes to our services.
Do any third parties have access to my data?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
We will need to allow computer system access to our IT consultants and software providers, as and when required for the performance of their work for us. This requires us to share your personal information within Burton Bandini in the context of system maintenance support and hosting of data.
We may pass on information to “Third parties” assisting with the work we do for you. “Third parties” includes third-party service providers like contractors and designated agents such as professional accountancy advisers, pension suppliers, mortgage brokers, insurance providers, tax authorities etc. These “third parties” are other companies employed to provide services for us or to whom we provide services. Like us, they will have access to the personal information needed to perform their functions and not for any other purpose.
The following activities are carried out by third-party service providers: IT (and cloud services), professional advisory and support services, administration services, marketing services and banking services.
We may disclose your details to credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
In addition, our business may be audited or checked by third parties such as our regulatory bodies, those providing professional services to us, or those with whom we are entering into business relationships. It is sometimes inevitable that such third parties will see some information about you.
Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.
To summarise, we may share the information we collect with, but not limited to, the following third parties:
- Vetted affiliates and partners / Financial Institutions / Insurance Companies for business facilitation to provide required services, such as mortgages, insurance cover, pension etc.
- Formally contracted service providers to perform IT (Development / Support / Hosting), Cloud Services, Confidential waste services etc on our behalf:
We contractually require these service providers to safeguard the privacy and security of personal information they process on our behalf and authorise them to use or disclose the information only as necessary to perform services on our behalf or comply with legal requirements:
- Councils, health and care providers
- Law firms
- Credit agencies, Land Registry Office, Her Majesty’s Revenue and Customs HMRC), Financial Conduct Authority (FCA) and other relevant regulatory bodies
- Perspective employers requesting references via your written consent
Additionally, we may share information about you, if required legally, to prevent harm or financial / reputation loss, for investigation of suspected or actual fraudulent or illegal activities.
How secure is my information with third-party service providers?
All our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
How does Burton Bandini protect data?
Burton Bandini takes the security of your data seriously. Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions and are obliged to implement appropriate measures to ensure the security of data.
All employees, agents, contractors and other third parties are subject to a duty of confidentiality.
We have internal policies and controls in place in respect of security that are regularly reviewed to ensure that they are commercially reasonable and appropriate to prevent data from being accidentally lost or destroyed, used or accessed in an unauthorised way, altered or disclosed. Our policies and controls are designed to limit access to those employees, agents, contractors and other third parties who have a business need to know.
Our process in the event of a data breach:
- The breach will be reported as soon as it occurs. (Staff are aware to report a breach to: Beverley Burton.)
- We will complete an Incident Report/Breach Notification Form as part of the 72hr reporting process.
- We will contain the breach by taking the appropriate steps immediately to minimise the effect of it, limit the damage and recover any losses. The police will be informed where appropriate and advice sought from Directors to resolve the incident as quickly as possible.
- We will investigate and assess the risks of the breach as we liaise with the relevant people to determine the suitable course of action to ensure a resolution to the incident.
- We will notify the relevant parties having consulted our IT Dept to determine who needs to be notified of the breach on a case-by-case basis.
- Depending on the considerations of the incident, notification could go as far as a public announcement with mail/ email notifications to tell customers the facts about the breach, info about the risks they face, steps they can take to protect themselves and in response to inquiries.
- Once the incident is contained we will carry out a full review of the causes of the breach, effectiveness of response and what changes need to be made to systems, policies and procedures to minimise similar incidents occurring and improve controls for managing breaches.
How long does Burton Bandini keep data?
We employ appropriate security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.
We will only retain your personal data for as long as the law requires or as long as it is necessary to fulfil the purposes for which it is collected, taking into account the nature of the information and purpose for which it has been obtained and is used or held. Personal information is generally kept for seven years after last contact with you. However we reserve the right to keep information for longer if we feel it is in the legitimate interests of Burton Bandini.
Our archive system flags all files when they reach the seven year limit, at which point they become subject to our confidential waste arrangement where destruction certificates are issued to Burton Bandini as receipt of the confidential waste being destroyed.
For clients, unless you tell us not to, we intend to destroy correspondence and other papers that are more than seven years old, except documents we think may be of continuing significance. You must tell us if you wish us to keep any document for any longer period.
For other individuals, we will destroy personal information once it becomes clear to us that we no longer have reason to keep it, unless you request that we retain it.
When assessing what retention period is appropriate for your personal data, we take into consideration:
- the requirements of our business and the services provided;
- any statutory or legal obligations;
- the purposes for which we originally collected the personal data;
- the lawful grounds on which we based our processing;
- the types of personal data we have collected;
- the amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
International data transfers
For the purposes of business conduct, identification of fraud, money laundering and other potential un-authorised activities, Burton Bandini engages profiling activities via direct use of personal information.
- Background checks for existing and new employees, clients, business partners, affiliates
- Financial viability analysis / reports
- Business partner / client portfolio position, performance, risk positions
- Anti-money laundering
- Tax reporting
- Credit defaulting / exposure
Under certain circumstances individuals have certain rights over their personal data. These include:
- requesting access to and thereby receiving details of personal data held;
- requesting correction of personal data, where appropriate;
- requesting erasure of personal data, where appropriate;
- objecting to the processing of your personal data where Burton Bandini is relying on its legitimate interests as the legal ground for processing; and
- requesting the restriction of processing of your personal data for a period if data is inaccurate or there is a dispute about whether or not your interests override Burton Bandini’s legitimate grounds for processing;
- Requesting the transfer or your personal data where processing is based on consent, is carried out by automated means and is technically feasible.
If you believe that any information we are holding on you is incorrect or incomplete, please write or email us as soon as possible. We will promptly correct any information found to be incorrect.
What if you do not provide personal data?
If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively we may be unable to comply with our legal or regulatory obligations.
Changes to how we protect your privacy
Where we undergo substantial changes to our privacy statement we will endeavour to inform you directly about them.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting other sites even if you access them using links to or from our website. You should exercise caution and look at the privacy statement applicable to the website in question.
Burton Bandini tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention and welcome any suggestions for improving our procedures.
If you believe that Burton Bandini has not complied with your data protection rights please contact us accordingly. We will look into any complaint carefully and promptly and do all we can to explain the position to you.
You also have the right to complain to the Information Commissioner’s office (https://ico.org.uk/)
How to contact us
We always want to hear from our customers. If you:
- Have any questions or feedback
- Would like us to stop using your information
- Want to exercise any of your rights as set out above, or have a complaint
Please don’t hesitate to contact us and we will be happy to answer any questions you may have.
You can contact us at email address: email@example.com or else through the Burton Bandini website. Or if you’d like to, you can write to us at: Burton Bandini Ltd, 30A High St, Stony Stratford, Milton Keynes, Buckinghamshire MK11 1AF.
Review of this Policy
We keep this Policy under regular review. This Policy was last updated on 4 June 2018.