Privacy Policy

Ashar Brooks ("we", "us", or "our") is committed to protecting and respecting the personal data that we hold. Personal data is any data relating to an identified or identifiable living person.

This privacy statement governs why and how we collect and use personal data in the course of our business. It also provides information about individuals' rights. It applies to personal data provided to us, by individuals themselves and by others. We may use personal data provided to us for the purposes described in this privacy statement or as made clear before collecting personal data.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data. We process personal data for various purposes. The means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose are set out below.

Personal data is provided directly by the individual concerned, by a third party, or obtained from publicly available sources. Where we receive personal data that relates to an individual from a third party, we request that the third party informs the individual of the necessary information regarding the use of their data. Our clients may refer data subjects to this privacy statement.

Security

We have policies, procedures and training in place in respect of data protection, confidentiality and information security. We regularly review our measures with the objective of ensuring their continuing effectiveness.

All information you provide to us is stored on our secure servers. Where you have a password which enables you to access our portal, you are responsible for keeping this password confidential. Please do not reveal the password to anyone.

The transmission of information over the internet is not necessarily secure. We will do our best to protect your personal data; however, we cannot guarantee the security of data that you send to our website or which you email to us — any data that you send is at your own risk. Once we receive information from you, we will use strict procedures and security features designed to prevent unauthorised access to your data.

How we use your data

This privacy policy tells you what to expect when Ashar Brooks collects personal information. It applies to information we collect in connection with:

• Client services
• Business contacts
• Suppliers
• Our employees
• Job applicants
• Visitors to our website

Client services

The data we hold

The data that is processed is dependent on the service being provided and on the recipient of that service.

Services to businesses and other organisations: We process the personal data of our clients and individuals connected with our clients. Personal data may include any relevant financial or non-financial information necessary for us to provide our services. The data we hold may include contact details, payroll data, employee information, details of shareholders, customers and suppliers, along with other relevant data.

Services to individuals and trusts: Personal data may include contact details, Unique Tax Reference, NI number, information relating to business activities, investments, other financial interests, employment and other income, and other relevant data.

Why the data is processed

Where data is collected for client services, it is used in a number of ways. Data is processed in accordance with a letter of engagement between us and our client. We provide a range of professional services to our clients, which include:

• Professional services: We provide a wide range of services, including tax, advisory and outsourcing services. We may have to process personal data in order to perform our services and/or to advise our clients.
• Administration: In order to manage and administer our business and services, we may collect and process personal data.
• Regulatory: As a regulated firm, Ashar Brooks is subject to various legal, regulatory and professional obligations that may require us to collect and process personal data. This may include (but is not limited to) the verification of identity of individuals.

How long the data is retained

We retain the personal data processed by us for as long as is considered necessary for the purposes for which it was collected, or as required by applicable law or regulation (typically 6 years). We may keep data for longer in order to establish, exercise, or defend our legal rights and the legal rights of our clients.

Personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.

Business contacts

The data we hold relating to business contacts includes: name, employer, business address, phone numbers, email address and other business contact information.

Why the data is processed: Where personal data on business contacts is held, it is used for a number of purposes, such as: to manage, administer and develop our business; relationship management; to promote and develop our services; communication of technical updates; and hosting and facilitating events.

How long the data is retained: We retain the personal data processed by us for as long as is considered necessary for the purposes for which it was collected.

Suppliers

The data we hold: We collect personal data including names, address, contact details and bank details in relation to our suppliers.

Why the data is processed: Personal data relating to suppliers is used to manage the contract between us and the supplier.

How long the data is retained: We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected. Data may be held for longer periods where required by law or regulation and in order to establish, exercise or defend our legal rights.

Our employees (past and present)

We collect personal data from our employees as part of the administration and management of our business. Our staff handbook explains what data we hold, how we process it and our data retention policy.

Job applicants

The data we hold: The data we hold relating to job applicants includes data provided in CVs, on application forms and in references provided by third parties.

Why the data is processed: All of the information obtained relating to applicants during the application process is only used for the purpose of progressing the application, or to fulfil legal or regulatory requirements as necessary.

How long the data is retained: Personal data collected in relation to applicants is held for as long as necessary in order to fulfil the purposes for which it was collected, or for a maximum of two years where those purposes are no longer necessary.

Visitors to our website

The data that we hold depends on what data was entered and for what purpose. Personal data entered so as to engage with the functionality of our website may include: name, organisation name, address, email address and phone number, a personal description of the individual and/or their business, and the individual's photograph.

In instances where data is collected automatically, this may include technical information such as: the Internet protocol (IP) address used to connect your computer to the internet, geographical location, login information, browser type and version, browser plug-in types and versions, and time zone settings.

This website is not intended for or targeted at children under the age of 13. We do not knowingly collect information about children under this age. If you believe we have collected information about a child under 13, please contact us using the details stated in this policy so that we may delete this information.

Our website uses cookies to distinguish individuals from one another. For more information, please refer to our Cookie Policy.

Why website data is processed

• Administration: To improve internal operations of the website for surveys, analysis, testing, troubleshooting and research.
• Functionality: To allow individuals to access functionality of the website such as guides and documents.
• Promote and develop offers: Some personal data may be used to measure and understand the effectiveness of advertising and communications.
• Security: To ensure the website remains safe and secure, we may sometimes collect login information and other identity-verifying data.
• Client testimonials and comments: We post client testimonials and comments on the website and these may contain personal information. We obtain each client's consent via email prior to posting their name and testimonial quote.

How long website data is retained: We retain personal data processed by us in a live environment for as long as is considered necessary in accordance with the purpose(s) for which it was collected — typically up to 6 years.

Sharing personal data

We do not sell data to any third parties. We do not provide information to third parties for their own marketing purposes and we do not undertake mailings for third parties.

Personal data is only shared with third parties when we are legally permitted to do so. We may provide personal data to:

• Government and regulatory bodies to meet our legal, regulatory and professional obligations.
• Professional advisers to confirm our practices comply with industry regulations.
• Third party organisations that assist in the maintenance of our IT systems, analysing data and the provision of marketing assistance.

Where we share your data with such agents, we require explicitly that they acknowledge and adhere to our privacy policy and data handling policies.

Locations of processing

The personal data we collect is processed in the UK and European Economic Area (EEA) and is therefore protected by UK and EEA data privacy laws. Should information be stored or processed outside the EEA, we would put agreements in place with our third party suppliers to ensure the data is protected to an equivalent standard.

Your rights

Under the GDPR you have rights in relation to any of your personal data held by us as a data controller. Specifically these are:

• The right to be informed about the collection and use of your personal data.
• The right to access your personal data held by us as a data controller.
• The right to have inaccurate personal data rectified, or completed if it is incomplete.
• The right to request the restriction of processing your personal data.
• The right to data portability.
• The right to object to the processing of your personal data in certain circumstances.
• The right to request human intervention in any automated decision making.

If you wish to exercise any of these rights, please email info@asharbrooks.co.uk.

Where legally permitted, we will notify clients if we receive a request from a data subject to exercise their rights under the General Data Protection Regulation ("GDPR").

Complaints

Ashar Brooks tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. If you want to make a complaint about the way we have processed your personal information, you can contact us by email or post at the addresses detailed below.

You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner's Office ("ICO"). For further information on your rights and how to complain to ICO, please refer to the ICO website: https://ico.org.uk/

Data Controller and contact information

Ashar Brooks Limited is registered as a data controller under registration number ZB113763.

If you have any questions about this privacy statement or how and why we process personal data, please contact us at:

Data Protection Officer
Ashar Brooks
41 Reservoir Way
Ilford
IG6 3FD

Email: info@asharbrooks.co.uk
Phone: 0207 610 6100