For data protection queries and to exercise your rights, you can contact us in these ways:
Hazlewoods does not have a Data Protection Officer. Our Technical Partner and our Finance and Administration Partner oversee data protection matters.
Our website www.hazlewoods.co.uk provides an indication of the services we provide. We will use your personal data for the purpose of providing these services and any others we agree with you or an entity you are associated with. In addition, we may use it to meet our legal obligations, for the purpose of direct marketing and for other legitimate business interests. Without the relevant personal data, we may be unable to provide the service, support or response being sought from us.
When we issue a letter of engagement or other agreement to you, this also outlines the purpose for which we process your personal data. Where we judge the purpose to have changed, we will issue a further engagement letter or other documentation to reflect this.
Back to top
7. OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
Hazlewoods must have a lawful basis to process your personal data.
More than one lawful basis may apply to the processing of the same personal data.
These are the bases we most often rely on:
a. Contractual: The processing is necessary for a contract we have with you as an individual, or because you have asked us to take specific steps before entering into a contract with us.
b. Legal obligation: The processing is necessary for us to comply with the laws or regulations we are subject to (not including our contractual obligations). For example, anti-money laundering and anti-bribery legislation.
We would be unable to provide our services to you if you did not provide or we were unable to process your personal data under the lawful bases of contractual and legal obligation.
c. Legitimate interests: We also undertake processing in our legitimate interests or the legitimate interests of a third party. We check beforehand that this processing is not going to override your rights and interests.
We rely on legitimate interests to allow us for example, to:
- communicate with you, your employer or other relevant party;
- provide the services requested by our corporate clients, which may include your employer;
- provide the services requested by our clients who may be an individual or entity you have provided a service to, or been a service user or customer of, or have otherwise been in some way connected with;
- undertake administration and management;
- conduct risk management, quality assurance and other reviews;
- draw on anonymised or pseudonymised data to develop our marketing approach and compile our marketing material;
- send you direct marketing;
- compile and distribute video and audio recordings of events;
- administer our website, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- improve our website to ensure that content is presented in the most effective manner for you and for your computer;
- keep our website safe and secure;
- measure or understand the effectiveness of advertising via our website that we serve to you and others, and to deliver relevant advertising to you;
- make suggestions and recommendations to you and other users of our website about services that may interest you or them;
- allow you to participate in interactive features of our website or services, when you choose to do so;
- ask you to complete and/or sign documentation online;
- carry out management planning, modelling and internal analysis;
- enhance and develop our services;
- support the development of data processors’ services and products;
- undertake benchmarking activity, compile and issue associated reports;
- establish, exercise or defend legal claims.
d. Consent: We use the lawful basis of consent in some circumstances. For example, we may seek consent from you to share your personal data with other parties, which are not identified under the other lawful bases we use.
Processing your personal data in the above ways can include sharing your personal data with relevant third parties, where we would otherwise be unable to provide our services to you. For example, we need to share your personal data with product and service providers to obtain quotes so we can provide financial planning advice, along with undertaking related administration and management activity. More information about data-sharing can be found in sections 12, 13 and 14.
Back to top
8. DIRECT MARKETING
You can amend your preferences or opt out of our marketing via our preference centre. Alternatively you can contact us by using any of the contact details at the beginning of this policy.
Where we request your consent for direct marketing by email or text, this is governed by the Privacy and Electronic Communications Regulations (PECR). You can withdraw this consent at any time via our preference centre or by contacting us using any of the contact details at the beginning of this policy. PECR also applies to collection of cookies when you visit our website.
Back to top
9. CATEGORIES OF PERSONAL DATA
We deal with two kinds of personal data as defined under the legislation.
a. Personal data
This is information that can be linked to a living individual. The exact kinds of personal data we collect and use will vary according to the service we are providing, the purpose, and the legal basis for the data processing. We may send you a list of the information we need to carry out the services you have requested. That list will include personal data.
The most common kinds of personal data we collect are your contact details, along with information about your personal, employment and financial circumstances relevant to the services we are asked to provide. Much of this information will be provided directly by you, but we may obtain data from other sources. These sources are outlined further below.
b. Special category data (also referred to as sensitive personal data)
Although often described as information about your health, this category of data also covers personal data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation and health, along with genetic data and biometric data. Hazlewoods seeks this kind of data in limited circumstances. It should not be provided to us unless specifically requested or required.
As well as needing a lawful basis, we must follow an additional rule (processing condition) to process special category data. Hazlewoods most often uses the following processing conditions:
- Where you have given your explicit consent for us to use it. You can withdraw this consent at any time, by contacting us using any of the contact details in section 5 of this policy. Without this consent we may be unable to advise you in part or in full, or provide services which require this information to be used. We may also be unable to meet your requirements when attending a meeting, seminar or other event we have arranged;
- Where we need to use this data for the establishment, exercise or defence of legal claims;
- Where substantial public interest applies;
- Where such data has been manifestly made public by you.
- Where there is public interest in the area of public health and we are following the advice given by the Government’s public health advisers.
- Please see Appendix 1 regarding the processing of special category personal data during a pandemic or emergency situation. This may also include providing your contact details and other necessary data as part of any test and trace procedure.
- To protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (such as a medical emergency).
Hazlewoods may draw upon other processing conditions listed in data protection legislation. Criminal conviction data is not classed as special category data under this legislation. However, Hazlewoods relies on a similar set of similar processing conditions if it is necessary to process this kind of data.
Who we process for
We process personal data for different groups of individuals, for example:
- Business points of contact or representatives
- Employees, contractors and temporary workers
- Consultants and advisers
- Service users
- Pension scheme members
- Family, spouses and children
- Any individual associated with the person or entity to whom we are providing services.
Where you are providing Hazlewoods with personal data about other individuals, you warrant that you have made them aware that you are sharing their data with us and obtained any necessary consent from them.
We do not market our services to children. However, we may need to hold personal data about children to provide services to others, usually their parents, custodians or carers.
Back to top
The most common kinds of cookies we use are:
|Strictly necessary cookies
||These cookies are essential to enable you to navigate around websites securely and to provide you with services you have specifically requested.
||These cookies enhance the functionality of websites by storing your preferences. For instance, they can remember your name and location, if you provide this information.
||These cookies improve the performance of websites. For instance, they help pages load more quickly.
|Online behavioural cookies
||These cookies store information about your behaviour online, such as your browsing history. For instance, they help us tailor the advertising we show to you.
Most web browsers automatically accept cookies but, if you prefer, you can change your browser settings to prevent this. Cookies can be managed through the browser menu and are commonly referred to as ‘preferences’, ‘privacy’ or ‘security’.
You are not obliged to accept all the cookies when you are using our website, however, you may not be able to take full advantage of our site or use certain functions if you disable them.
When you use or refer to other websites or applications, you must read the provider’s cookie and privacy notices before sharing your personal data with them.
Back to top
11. PERSONAL DATA OBTAINED DIRECTLY FROM YOU
The personal data we obtain may be obtained in different forms, in paper (often converted to digital records), by phone, in video or audio recordings, various digital formats and by other means.
Hazlewoods obtains personal data from individuals directly when they, for example:
- enquire about any of the services we provide;
- sign up via our preference centre or by other means to receive marketing material from us;
- negotiate or enter into a contract or client agreement with us to provide a service;
- provide us with information connected with the contract or client agreement;
- correspond with us via our website, by phone, e-mail or otherwise;
- register or participate in meetings, seminars or other events we arrange, whether attending in person or virtually;
- take part in forums or other exchanges, whether in person or virtually;
- give us a business card;
- fill in forms, sign documents, or otherwise use our website, our applications, or others we point you to and/or submit information to us;
- participate in the social media functions on our website, our applications or others we point you to;
- report a problem when using our website, our applications or others we point you to;
- enter a competition, promotion or survey;
- visit our offices or other venues where we are present or operating from; or
- use the wi-fi network in our offices.
When you visit our website, it is set up to collect some information about you automatically, this may include:
- technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, device, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URL), real time information, clicks made through and from our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and where you visited our page from (such as search engines and social media).
We will also collect location information from you e.g. your IP address when completing or signing documentation online. Such online signing applications (sometimes called e-signature), capture your signature electronically on documents connected with the work we do with our clients and related parties, and record details of the date, time and location (IP address) of the signature made. You might be asked or choose to complete other fields or provide additional information when using these applications.
Our legal obligation and our legitimate interest in operating technological and organisational measures is to help ensure personal data is kept secure. This may require the use of personal data in authenticator or other applications to permit access to our website, our applications, or others we point you too.
In both the latter instances, you should check the privacy policies of the providers of these websites or applications to ensure you are comfortable submitting your personal data to them.
We may film or take photos of the events we hold or facilitate. Please let a Hazlewoods representative know if you wish to be excluded from any filming or photos of the event you are attending.
Back to top
12. OTHER SOURCES OF DATA AND WHO WE SHARE YOUR PERSONAL DATA WITH
We do not sell personal data to third parties.
Depending on the nature of the service we provide, the lawful basis and purpose of processing, we may need to share your personal data between the Hazlewoods data controllers listed at the beginning of this policy.
The sharing of your personal data between Hazlewoods data controllers is based on our legitimate interests in continuing to provide and/or enhance our services to you or the entity you are connected with.
Similarly we may need to share personal data with other parties (examples listed below). These parties are subject to data protection legislation and principles. We will usually have notified you of the sharing of your data with these parties. However, certain legislation may prevent us from doing so. Many of these parties both receive personal data from us and provide it to us:
- analytics providers
- online analytic and search engine providers, including Google Analytics
- advertising networks
- providers of technical, website, infrastructure, data security and back-up services and support
- providers of payment and delivery services and support
- providers of business sector information and datasets (where they have obtained the data from publicly-available sources and surveys individuals have completed)
- social media sites, including those associated with our fundraising activities
- attendees of events and other individuals who wish to view webinar, podcast and other similar material connected to events we hold
- Companies House, HM Revenue & Customs, other Government agencies and departments, including the Care Quality Commission and NHS
- law enforcement agencies and courts
- solicitors, accountants, auditors and other professional advisers
- agents and representatives
- banks and other financial institutions
- life insurance and pension providers
- credit reference and fraud prevention agencies
- providers of anti-money laundering checks, credit reference or fraud prevention services
- our debt-tracing and recovery agency
- marketing and social event organisers and venues and websites
- business gift and hospitality providers
- members of our business networks (for example, HLB International)
- industry bodies we are associated with (where we have been asked to undertake benchmarking and other analysis on behalf of their membership)
- our regulators and governing bodies
- quality assurance assessors and other business consultants
- our insurers
- those responsible for maintaining our facilities and security
- parties associated with Corporate Finance transactions, or their advisers
- other data processors (see section 15).
Through our research we may also obtain information from publicly-available databases, such as Companies House or details on a company website.
Furthermore, we will disclose your personal information:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about customers will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Hazlewoods LLP or Hazlewoods Financial Planning LLP, Hazlewoods Management Services Limited, our clients, or any other third parties. A legal obligation may mean that your data is disclosed outside the country you are located in.
Back to top
13. SHARING PERSONAL DATA BETWEEN DATA CONTROLLERS
Where data sharing takes place between Hazlewoods and others, where both or all parties are independent data controllers, our approach is described in this section of our policy. We may apply an exemption to this section, for example we will not seek a warranty from data controllers such as HMRC and other similar organisations.
We warrant, and require all other data controllers associated with any agreed data sharing to warrant, that:
We shall each be considered an independent data controller in relation to personal data, unless otherwise agreed in writing between us. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of personal data. Sharing of the data does not imply any consent (explicit or otherwise), permission or confirmation has been received from the data subjects, provider or processor of the data that the data can be used in any particular way. Each party will make its own assessment of what it is permissible for them to do with the data under data protection legislation.
Personal data will only be disclosed between parties where each party warrants that:
- there is a lawful basis for sharing the personal data with and between us; and
- all the necessary requirements under the data protection legislation have been compiled with to permit the data sharing to take place.
We shall only process the personal data shared with or between us for the agreed purpose(s).
In respect of personal data shared with or between us, provided that we are legally permitted to do so, we shall notify the relevant other data controller(s) in the event that:
- we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of our processing of their personal data;
- we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the personal data from a supervisory authority as defined in the data protection legislation (for example in the UK, the Information Commissioner’s Officer (ICO)); or
- we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alteration of, the personal data.
Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to clients, the holding of events, or for any other agreed purpose(s), in accordance with the engagement letter or other documentation with them in relation to those services.
Where we agree that we will be acting as joint data controllers, as defined under GDPR as ‘Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers’ we will agree the necessary steps to meet the requirements under data protection legislation if the parties consider they are not covered by the above wording. This may include stating a central point of contact for all relevant data subjects.
Back to top
14. SHARING PERSONAL DATA WITH CREDIT REFERENCE AGENCIES
Hazlewoods has a legal obligation to follow prevailing anti-money laundering legislation and takes steps to prevent fraud. It is also in our legitimate interests to do so.
Back to top
15. DATA PROCESSORS
Where we are appointing any individual or organisation to process your personal data on our behalf (otherwise known as ‘data processors’), they may only do so for specified purposes and according to our written instructions. Hazlewoods seeks confirmation of the processor’s IT security arrangements and whether personal data is processed outside the European Union. Data processors may appoint their own sub-processors: We seek written confirmation that there are similar contractual obligations with those parties.
Some data processors may use anonymised or pseudonymised data for research, statistical or survey purposes, or to enable ongoing development of their services or products.
Back to top
16. TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
Hazlewoods is located in the UK. You can find details of our office locations on our website. Hazlewoods LLP is a member of HLB International, a network of independent professional accounting firms and business advisers. Other members of this network do not have access to personal data unless you have arranged this with them.
Where possible, we or our appointed data processors will process your personal data within the European Union (EU). If your personal data does need to be transferred outside the EU, we ensure appropriate safeguards are in place to ensure that your data is properly looked after.
We ensure personal data is adequately protected and take into account where the UK has decided that a country, a territory or one or more specific sectors in a country, or an international organisation, ensures an adequate level of protection. Otherwise, we will utilise other safeguards available to us under data protection legislation to transfer the data, such as Standard Contractual Clauses.
Back to top
17. KEEPING YOUR PERSONAL DATA SECURE
Alongside the training we provide to staff on data security, we operate a series of security measures concerning access to our offices and our systems. The level and extent of each individual measure may vary, but can include, for example:
- access controls to buildings, systems and, where appropriate, individual IT applications;
- anti-virus and malware prevention;
- breach logging;
- equipment/access logs;
- horizon scanning;
- arranging back-up copies of personal data; and
- penetration testing, system monitoring and system updates (e.g. patching).
For applications running on our in-house systems, we operate a back-up facility as contingency. Our back-up data is held off-site within the UK.
We have a Business Continuity Plan (BCP) in place which is tested periodically. The BCP covers, for example:
- business continuity and disaster, recovery management strategy and policy;
- key contacts and crisis management team members;
- triggers for invoking and revoking plans;
- roles and responsibilities;
- communication plans– internal and external, including with service providers and IT suppliers;
- specific threat plans.
The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.
Back to top
18. HOW LONG WE KEEP YOUR PERSONAL DATA
The timescales for the retention of your personal data and related documentation are subject to various legal, regulatory or contractual requirements, which will reflect the purpose and lawful basis for processing the data.
Where you have told us you no longer wish to receive our direct marketing, we need to retain a record of this indefinitely. We keep a minimum amount of your personal data in order to maintain our marketing opt-out lists.
Back to top
19. YOUR RIGHTS
Data protection legislation provides the following legal rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can exercise your rights at any time by contacting us using any of the contact details in section 5 of this policy. More information is available from the Information Commissioner's Office website https://ico.org.uk/
Some rights can only be exercised under certain circumstances. If we are unable to comply with your request for any reason, we will contact you to explain our reasoning.
Your rights under data protection legislation: download pdf
Back to top
Hazlewoods aims to deal efficiently with any query or to resolve any complaint you might have about how we handle your personal data.
Your right to complain
If you consider we have processed your data in a way that infringes the legislation, you have the right to complain to the Information Commissioner’s Office. Their contact details are:
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) 01625 545 745 (national rate)
Subsequent changes to the policy may occur due to changes in the ICO’s guidance or for other reasons. Each version of the policy will be uniquely referenced.
22. MORE INFORMATION
- Information Commissioner’s Office website
Last updated 15 December 2021. Version 2021b
Back to top
Hazlewoods is required to have an appropriate lawful basis for processing the personal data and/or Special Category Data (e.g. health information) (SCD) collected from individuals relating to COVID-19. This approach would also apply to other pandemics or emergency situations.
The identification of lawful bases and processing conditions is noted below.
||Is this lawful basis applicable to Hazlewoods?
|Legitimate interests – re business continuity management and the well-being of individuals who it needs to deal with.
COVID-19 is a pandemic disease. The nature of the data being collected is going to be minimised, kept secure and not shared beyond the personnel who need to deal with it.
Hazlewoods does not believe that processing such data would outweigh the interests or fundamental rights and freedoms of individuals.
The processing would be necessary for the dealing with legal claims against us.
We also rely on legitimate interests to contact others about non-contractual matters. This would include the holding of the contact data for those, individuals would wish us to contact in an emergency.
|For SCD, Hazlewoods also needs to identify an appropriate processing condition
Is this processing condition applicable to Hazlewoods?
|Public interest in the area of public health.
Hazlewoods is following the advice given by the Government’s public health advisers. This may also include providing your contact details and other necessary data as part of any test and trace procedure.
|Additional lawful basis and processing condition re legal claims
Hazlewoods relies on the legitimate interests lawful basis and the legal claims processing condition to process relevant special category data in this instance.