For data protection queries and to exercise your rights, you can contact us in these ways:
Hazlewoods does not have a Data Protection Officer. Our Technical Partner and our Finance and Administration Partner oversee data protection matters.
Our website www.hazlewoods.co.uk provides an indication of the services we provide. We will use your personal data for the purpose of providing these services. In addition, we may use it for the purpose of direct marketing and for other legitimate business interests.
When we issue a letter of engagement or other agreement to you, this also outlines the purpose for which we process your personal data. Where we judge the purpose to have changed, we will issue a further engagement letter or other documentation to reflect this.
If you (either directly or by representing another organisation) otherwise supply or deal with Hazlewoods, we will usually require your personal data for that activity to be undertaken between us, or for us to communicate on day-to-day matters.
Back to top
7. OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
Hazlewoods must have a lawful basis to process your personal data.
More than one lawful basis may apply to the processing of the same personal data.
These are the bases we most often rely on:
a. Contractual: The processing is necessary for a contract we have with you as an individual, or because you have asked us to take specific steps before entering into a contract with us.
b. Legal obligation: The processing is necessary for us to comply with the laws or regulations we are subject to (not including our contractual obligations). For example, where we need to obtain personal data from you to meet anti-money laundering legislation.
We would be unable to provide our services to you if you did not provide or we were unable to process your personal data under these lawful bases.
c. Legitimate interests: We also undertake processing in our legitimate interests or the legitimate interests of a third party. The latter may include your employer or pension scheme where we are providing services to them. Or where you are the supplier or a service-user of a client we act for.
We check beforehand that this processing is not going to override your rights and interests.
We rely on legitimate interests to allow us for example, to:
- communicate with you, your employer or other relevant party;
- provide the services requested by our corporate clients, which may include your employer;
- undertake administration and management;
- send you direct marketing;
- refer you to selected suppliers we have made you aware of;
- administer our website, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- improve our website to ensure that content is presented in the most effective manner for you and for your computer;
- part of our efforts to keep our website safe and secure, including the monitoring and enforcement of any terms in policies concerning use of our website;
- measure or understand the effectiveness of advertising via our website that we serve to you and others, and to deliver relevant advertising to you;
- make suggestions and recommendations to you and other users of our website about services that may interest you or them;
- allow you to participate in interactive features of our website or services, when you choose to do so;
- facilitate meetings, seminars or other events we arrange with you and other business partners;
- carry out management planning, modelling and internal analysis;
- enhance and develop our business and services;
- undertake benchmarking activity; quality and risk management reviews;
- establish, exercise or defend legal claims;
- carry out CCTV monitoring and maintain records of who has entered our premises;
- take photos or capture video footage of events and activities.
d. Consent: We use the lawful basis of consent in some circumstances. For example, we may seek consent from you to share your personal data with other parties, which are not identified under the other lawful bases we use.
Processing your personal data in the above ways can include sharing your personal data with relevant third parties, where we would otherwise be unable to provide our services to you. For example, we need to share your personal data with product and service providers to obtain quotes so we can provide financial planning advice, along with undertaking related administration and management activity.
Back to top
8. THE PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS
Where we request your consent for direct marketing by email or text, this is governed by the Privacy and Electronic Communications Regulations (PECR). You can withdraw this consent at any time via our preference centre or by contacting us using any of the contact details at the beginning of this policy.
Back to top
9. CATEGORIES OF PERSONAL DATA
We deal with two kinds of personal data as defined under the legislation.
a. Personal data
This is information that can be linked to a living individual. The exact kinds of personal data we collect and use will vary according to the service we are providing, the nature and purpose of the interaction between us, and the legal basis for the data processing.
We may send you a list of the information we need to carry out the services you have requested. That information may be about you or other relevant individuals.
The personal data we need often includes more than names and contact details. In order for us to provide our services efficiently, accurately and in line with various legislation we are subject to, we will often also seek information about personal and family circumstances (this might include age, date of birth, gender, marital status and dependents).
The nature of our work may mean sharing financial and tax-related information with us. It may also involve providing us with details about other individuals, such as other directors or partners at your business, family members, clients and suppliers.
If you are providing us with information about other individuals, you should make them aware that we will be processing their personal data. Where you are the data controller, you must take the necessary steps to comply with data protection legislation when sharing this data with us.
Where you or the organisation you represent supply us with a product or service, we will require the necessary personal data to allow us to complete any associated agreement and other documentation, enable us to hold necessary records, or otherwise continue to interact on a day-to-day basis.
b. Special category data (also referred to as sensitive personal data)
Although often described as information about your health, this category of data also covers personal data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation and health, along with genetic data and biometric data.
As well as needing a lawful basis, we must follow an additional rule (processing condition) to process special category data. Hazlewoods most often uses the following processing conditions:
- Where you have given your explicit consent for us to use it. You can withdraw this consent at any time, by contacting us using any of the contact details in section 5 of this policy. Without this consent we may be unable to advise you in part or in full, or provide services which require this information to be used. We may also be unable to meet your dietary or other requirements when attending a meeting, seminar or other event we have arranged;
- Where we need to use this data for the establishment, exercise or defence of legal claims; and
- Where such data has been manifestly made public by you.
Photos and video recording
We may take photographs and/or make video recordings of the events, including fundraising activities, that we arrange, facilitate or are involved in, and which you attend or participate. This material may be used by us or business partners, and/or distributed in social media in order to publicise this event.
If you would prefer not to be included in these photos or videos, please inform us prior to the start of the event or otherwise make us aware at the time.
We operate CCTV monitoring at our premises for safety and security purposes.
Who we process personal data for
We process personal data for different groups of individuals, for example:
- Business points of contact or representatives
- Employees, contractors and temporary workers
- Consultants and advisers
- Service users
- Pension scheme members
- Family, spouses and children
- Any individuals affected by Insolvency proceedings
We do not market our services to children. However, we may need to hold personal data about children to provide services to others, usually their parents, custodians or carers.
Back to top
The most common kinds of cookies we use are:
|Strictly necessary cookies
||These cookies are essential to enable you to navigate around websites securely and to provide you with services you have specifically requested.
||These cookies enhance the functionality of websites by storing your preferences. For instance, they can remember your name and location, if you provide this information.
||These cookies improve the performance of websites. For instance, they help pages load more quickly.
|Online behavioural cookies
||These cookies store information about your behaviour online, such as your browsing history. For instance, they help us tailor the advertising we show to you.
Most web browsers automatically accept cookies but, if you prefer, you can change your browser settings to prevent this. Cookies can be managed through the browser menu and are commonly referred to as ‘preferences’, ‘privacy’ or ‘security’.
You are not obliged to accept cookies, however, you may not be able to take full advantage of our site or use certain functions if you disable them.
Back to top
11. PERSONAL DATA OBTAINED DIRECTLY FROM YOU
Hazlewoods obtains personal data from individuals directly when they, for example:
- enquire about any of the services we provide or where they wish to interact with us;
- correspond with us via our website, by phone, e-mail or otherwise;
- sign up via our online preference centre or by other means to receive marketing material from us;
- negotiate or enter into a contract or client agreement with us to provide a service;
- provide us with information connected with a contract, agreement, or other interaction between us;
- register for or participate in meetings, seminars or other events (including fundraising activities) we arrange;
- give us a business card;
- fill in forms on our website and submit information to us;
- participate in other social media functions on our website or enter a competition, promotion or survey;
- connect to our website via online social media platforms;
- report a problem with our website, provide other feedback or make a complaint to us;
- visit our offices; or
- use the wi-fi network at our premises.
When you visit our website, it is set up to collect some information about you automatically, this may include:
- technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, device, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URL), real time information, clicks made through and from our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and where you visited our page from (such as search engines and social media).
Back to top
12. OTHER SOURCES OF DATA AND WHO WE SHARE YOUR PERSONAL DATA WITH
Depending on the nature of the service we provide, the lawful basis and purpose of processing, we may need to share your personal data between the Hazlewoods data controllers listed at the beginning of this policy and other parties (examples listed below). These parties are subject to data protection legislation and principles. We will usually have notified you of the sharing of your data with these parties. However, certain legislation may prevent us from doing so. Many of these parties both receive personal data from us and provide it to us:
- analytics providers
- advertising networks
- providers of technical, payment and delivery services
- providers of business sector information and datasets (where they have obtained the data from publicly-available sources and surveys individuals have completed)
- social media sites, including those associated with our fundraising activities
- Companies House
- HM Revenue & Customs, other Government agencies and departments
- law enforcement agencies and courts
- solicitors, accountants, auditors and other professional advisers
- agents and representatives
- banks and other financial institutions
- life insurance and pension providers
- credit reference and fraud prevention agencies
- providers of credit reference or fraud prevention services
- our debt-tracing and recovery agency
- marketing and social event organisers and venues and websites
- online analytic and search engine providers
- members of our business networks (for example, HLB International)
- industry bodies we are associated with (where we have been asked to undertake benchmarking and other analysis on behalf of their membership)
- our regulators and governing bodies
- quality assurance assessors and other business consultants
- our insurers
- parties associated with Corporate Finance transactions, or their advisers
- data processors
Through our research we may also obtain information from publicly-available databases, such as Companies House or details on a company website.
We may also receive personal data about individuals from fundraising websites they have linked to our corporate fundraising page. This may include an individual’s name (usually as the fundraiser), the name and creation date of their page, their fundraising target, how much they have raised and the number of donors to their page. If an event benefits multiple charities and they choose to fundraise for a particular charity, we may also receive the name of the charity for which they are fundraising. This data is already publicly available on fundraising pages. We do not receive personal data about donors.
In addition, individuals may also choose to participate in fund-raising events facilitated by Hazlewoods. This may require the processing of personal data connected with that event, including the sharing of it with our fundraising partners and beneficiaries.
Furthermore, we will disclose your personal information:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets, or their advisers;
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about customers will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Hazlewoods LLP or Hazlewoods Financial Planning LLP, Hazlewoods Management Services Limited, our clients, or any other third parties.
Back to top
13. SHARING PERSONAL DATA WITH CREDIT REFERENCE AGENCIES
Hazlewoods has a legal obligation to follow prevailing anti-money laundering legislation and takes steps to prevent fraud. It is also in our legitimate interests to do so.
Consequently, we are required to obtain satisfactory evidence to confirm your identity at such times as we consider necessary. In order to verify personal information provided by you we may undertake searches with a credit reference or fraud prevention agency, which will include checking the information against any database (public or otherwise) to which they have access. The agencies may record details of such a search and may disclose your information and the fact that a search was made to their other customers, to assist companies for verification purposes or in assessing the risk of giving credit, to prevent fraud and money laundering, and to trace debtors. The searches do not impact your credit rating.
Back to top
14. DATA PROCESSORS
Where we are appointing any individual or organisation to process your personal data on our behalf (otherwise known as ‘data processors’), they may only do so for specified purposes and according to our written instructions. Hazlewoods seeks confirmation of the processor’s IT security arrangements and whether personal data is processed outside the European Union.
Back to top
15. TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
Hazlewoods is located in the UK. You can find details of our office locations on our website. Hazlewoods LLP is a member of HLB International, a network of independent professional accounting firms and business advisers. Other members of this network do not have access to personal data unless you have arranged this with them.
Where possible, we or our appointed data processors will process your personal data within the European Union (EU). If your personal data does need to be transferred outside the EU, we ensure appropriate safeguards are in place to ensure that your data is properly looked after.
We ensure personal data is adequately protected and take into account:
- where the European Commission has decided that a country, a territory or one or more specific sectors in a country, or an international organisation, ensures an adequate level of protection. This currently includes the US privacy shield framework; and
- other safeguards available to us under data protection legislation.
Back to top
16. KEEPING YOUR PERSONAL DATA SECURE
We operate a series of security measures concerning access to our offices and our systems. The level and extent of each individual measure may vary, but can include, for example:
- access controls to buildings, systems and, where appropriate, individual IT applications;
- anti-virus and malware prevention;
- breach logging;
- equipment/access logs;
- horizon scanning;
- arranging back-up copies of personal data; and
- penetration testing, system monitoring and system updates (e.g. patching).
For applications running on our in-house systems, we operate a back-up facility as contingency. Our back-up data is held off-site within the UK.
We have a Business Continuity Plan (BCP) in place which is tested periodically. The BCP covers, for example:
- business continuity and disaster, recovery management strategy and policy;
- key contacts and crisis management team members;
- triggers for invoking and revoking plans;
- roles and responsibilities;
- communication plans– internal and external, including with service providers and IT suppliers;
- specific threat plans.
The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.
Back to top
17. HOW LONG WE KEEP YOUR PERSONAL DATA
The timescales for the retention of your personal data and related documentation are subject to various legal, regulatory or contractual requirements, which will reflect the purpose and lawful basis for processing the data.
Where you have told us you no longer wish to receive our direct marketing, we need to retain a record of this indefinitely. We keep a minimum amount of your personal data in order to maintain our marketing opt-out lists.
Back to top
18. YOUR RIGHTS
Data protection legislation provides the following legal rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can exercise your rights at any time by contacting us using any of the contact details in section 5 of this policy. More information is available from the Information Commissioner's Office website https://ico.org.uk/
Some rights can only be exercised under certain circumstances. If we are unable to comply with your request for any reason, we will contact you to explain our reasoning.
Your rights under data protection legislation: download pdf
Back to top
Hazlewoods aims to deal efficiently with any query or to resolve any complaint you might have about how we handle your personal data.
Your right to complain
If you consider we have processed your data in a way that infringes the legislation, you have the right to complain to the Information Commissioner’s Office. Their contact details are:
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) 01625 545 745 (national rate)
21. MORE INFORMATION
- Information Commissioner’s Office website
Last updated 28 June 2019. Version 2019a
Back to top