The Regulation (eu) 2016/679 of the European Parliament and of the council (GDPR) will replace the existing EU Data Protection Directive n. 95/46/EC.
The aim of the GDPR is to harmonize privacy law across all EU member states and to help promote the digital economy. It will also introduce new legal rights for individuals to better control and protect their personal data. Organizations holding personal data will need to provide evidence of compliance if requested to do so by clients or regulators.
The GDPR will come in to effect across the EU from 25 May 2018. As the UK will still be a member of the EU at this date, the GDPR will also apply to the UK, and will continue to apply after its eventual exit from the EU.
With the following information, we would like to give you an overview of how we will process your data and of your rights according to data privacy laws. The details on what data will be processed and which method will be used depend significantly on the services applied for or agreed upon.
1. WHO IS RESPONSIBLE FOR DATA PROCESSING?
The responsible is:
ACT London Limited
48 Dover Street, Mayfair, London W1S 4FF
Tel. +44 (0)207 4326 050
Fax +44 (0)207 4326 051
2. WHAT IS THE PURPOSE OF PROCESSING AND ON WHAT LEGAL BASIS?
We process personal data in accordance with the provisions of the European General Data Protection Regulation:
for fulfillment of contractual obligations (Art. 6 para. 1b of the GDPR): data is processed in order to provide accountancy, audit, payroll services as well as tax advice services, in the context of carrying out our business with our clients or to carry out pre-contractual measures. You can find other details about the purposes of data processing in the relevant contract documents and terms and conditions.
for the purposes of the legitimate interests pursued by us or a third party (e.g. asserting legal claims and defense in legal disputes);
as a result of your consent (Art. 6 para. 1a of the GDPR) As long as you have granted us consent to process your personal data for certain purposes (e.g. for marketing purposes). Consent given can be withdrawn at any time. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.
Furthermore, we are subject to various legal obligations and regulatory requirements (e.g. Anti-Money Laundering Regulations, FCA, HMRC and NCA ordinances and circulars, tax laws). Purposes of processing include identity and age checks, fraud and money laundering prevention, fulfilling control and reporting obligations.
3. WHAT SOURCES AND DATA DO WE USE?
We process personal data that we obtain from our clients in the context of our business relationship. We also process personal data that we obtain from publicly accessible sources, (e.g. debt registers, commercial and association registers, press, internet) or that is legitimately transferred to us by other companies or from other third parties.
Relevant data is personal information (e.g. name, address and other contact details, date and place of birth, and nationality), identification data (e.g. ID card details), and authentication data (e.g. sample signature). Furthermore, this can also be data from the fulfillment of our contractual obligations (e.g. payment transactions), information about your financial situation (e.g. origin of assets) and other data similar to the categories mentioned.
4. WHO RECEIVES MY DATA?
Within the company, every unit that requires your data to fulfill our contractual and legal obligations will have access to it.
We may pass on information about you only if legal provisions demand it, or if you have given your consent, or if we have been authorized by a contract.
Recipients of personal data can be, for example:
Other advisors, banks, other third parties to which we may transfer your personal data in order to carry out a business relationship with you (depending on the contract). Service providers and agents appointed by us can receive access to data for the purposes given only if they maintain an adequate degree of confidentiality.
Public entities and institutions (e.g. criminal prosecution authorities) upon providing a legal or official obligation.
5. WILL DATA BE TRANSFERRED TO A THIRD COUNTRY?
Data transfer in states outside the EU (known as third countries) takes place so long as:
It is necessary for the purpose of carrying out a contract with you
It is required by law (e.g. reporting obligations under fiscal law), or
You have granted us your consent
6. AM I OBLIGED TO PROVIDE DATA?
In the context of our business relationship, you must provide all personal data that is required for accepting and carrying out a business relationship and fulfilling the accompanying contractual obligations or that we are legally obliged to collect. Without this data, we are, in principle, not in a position to close or execute a contract with you. In particular, anti-money laundering regulations require us to identify you on the basis of your identification documents before establishing a business relationship and to collect and put on record name, place and date of birth, nationality, address and identification details for this purpose.
In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with the Anti-Money Laundering regulations, and to immediately disclose any changes over the course of the business relationship.
If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship you desire.
7. FOR HOW LONG WILL MY DATA BE STORED?
We will process and store your personal data for as long as it is necessary in order to fulfill our contractual and statutory obligations.
If the data is no longer required in order to fulfill contractual or statutory obligations, it is deleted, unless its further processing is required, for a limited time, for fulfilling obligations to preserve records according to commercial and tax law.
8. WHAT DATA PRIVACY RIGHTS DO I HAVE?
Every data subject has the right to access (according to Article 15 of the GDPR), the right to rectification (according to Article 6 of the GDPR), the right to erasure (according to Article 17 of the GDPR), the right to restrict processing (according to Article 18 of the GDPR), the right of object (according to Article 21 of the GDPR), and if applicable – the right to data portability (according to Article 20 of the GDPR). Furthermore, if applicable, there is also a right to lodge a complaint with an appropriate data privacy regulatory authority (Article 77 of the GDPR).
You can withdraw consent granted to us for the processing of personal data at any time. This also applies to withdrawing declarations of consent that were made to us before the GDPR came into force, i.e. before May 25, 2018.
Please note that the withdrawal only applies to the future. Processing that was carried out before the withdrawal is not affected by it.
9. TO WHAT EXTENT IS THERE AUTOMATED DECISION-MAKING?
In establishing and carrying out a business relationship, we do not use any automated decision-making pursuant to Article 22 of the GDPR.
10. WILL PROFILING TAKE PLACE?
We do not process your data automatically.