Privacy Policy Last updated 1st May 2024
1. INTRODUCTION
1.1. Duncan & Toplis operate as part of a group of companies owned by Kinbrook Group Limited, known as the “Kinbrook Group”. The Kinbrook Group is committed to safeguarding the privacy and security of your personal data.
1.2 This Privacy Notice explains how and why the Kinbrook Group collects, uses and otherwise processes your personal data in accordance with UK data protection law. It also sets out information regarding your rights in relation to your personal data. This Privacy Notice supplements any other fair processing notices that may be provided to you from time to time.
1.3 In this Privacy Notice, “we”, “us” and “our” refers to any of the businesses in the Kinbrook Group (as the context requires) and “you” refers to any individual whose personal data we collect when providing our services, including:
1.3.1 our clients (if the client is an individual), our client contacts (if the client is a business or other organisation) and third parties engaged by our clients;
1.3.2 individuals that apply for a job or internship within the Kinbrook Group;
1.3.3 counterparties of our clients and other third parties connected to work that we carry out for our clients;
1.3.4 professional advisers, experts and consultants involved in the work that we carry out for our clients; and
1.3.5 any other individual whose personal data we obtain during the course of carrying on our commercial activities, including representatives and employees from third-party suppliers.
1.4 We are the controller of the personal data that we process, i.e. the organisation which determines, alone or jointly with another party, how your personal data is processed and for what purposes. This means that we are legally responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the personal data that we handle. Where we transfer your personal data to or receive your personal data from third parties, those third parties may also be controllers. More information about this is provided in Section 7 (Sharing your Personal Data) of this Privacy Notice.
1.5 We may change this Privacy Notice at any time as the need arises. All changes to this Privacy Notice will become effective immediately. Please review this Privacy Notice regularly to keep up to date.
-
HOW TO CONTACT US 2.1 If you have any questions about this Privacy Notice or our processing of your personal data, please contact us at info@kinbrook.co.uk.
-
TYPES OF PERSONAL DATA THAT WE PROCESS 3.1 By ‘personal data’ we mean any information (including opinions) which relates to an individual and from which they can be identified either directly or indirectly through other data which the Kinbrook Group has or is likely to have in its possession.
3.2 We may collect, store and use the following personal data when engaging with you or when providing our services:
3.2.1 Identification information: such as your title, name, date of birth, the company you work for, your job title or position, your passport or other official forms of ID and your NHS number;
3.2.2 Contact information: such as your address, email address, phone number, and marketing preferences;
3.2.3 Financial information: such as your bank details, credit control information, fees information, credit rating, National Insurance number, and tax and benefits information;
3.2.4 Professional information: such as your expertise and experience, feedback on your services (including opinions) from our people and/or our clients and other information relevant and connected to how you may have performed any service referred to you by us;
3.2.5 Recruitment information: such as the information in your CV, your education, training, professional qualifications and previous employment;
3.2.6 Technical information: such as your IP address, records of your visits to our online services, your online registration details and login credentials, records of your visits to our premises (e.g. turnstile/swipe access logs);
3.2.7 Correspondence information: such as personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours, statements about you, opinions of you and information relating to the matters that you would like us to support you with;
3.2.8 Special category personal data: such as information relating to your trade union membership, race, ethnicity, sexual orientation, religious beliefs or health, including medical records and expert reports;
3.2.9 Criminal offences data: such as information in connection with HMRC-related matters, sanctions information and matters concerning financial crime or other matters where this information informs our work;
3.2.10 Images and recordings: such as CCTV footage taken at our premises and photos taken at our meetings or events and recordings of meetings or calls; and
3.2.11 Other personal data: such as personal data provided to us by you, by our client, or by third parties on our client's behalf in the course of providing financial or other professional services to our client. This may include special categories of personal data and personal data relating to criminal convictions and offences or related to security measures.
-
OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA 4.1 We will only process your personal data where we are legally permitted to do. There are a number of different legal bases set out in UK data protection law and we explain which ones we rely on in Section 4.2. We are only permitted to process special category personal data or criminal offences data when we have satisfied certain conditions in the UK data protection law. The conditions that we rely upon are set out in Sections 4.3 and 4.4 respectively.
4.2 We process your personal data by relying on the following legal bases under the UK data protection law, dependent on the purpose for which we are processing your personal data as described further in Section 5 (Why we process your Personal Data) below:
4.2.1 it is necessary to pursue our (or a third party’s) legitimate interests, as long as we have concluded that these interests do not override your rights to privacy. We will reach this decision by carrying out a balancing exercise to make sure our legitimate interests are not overridden by your right to privacy. Our legitimate interests will be those which are reasonably expected in the course of our business as a group of companies and will be to achieve the purposes set out in Section 5 (Why we Process your Personal Data) below;
4.2.2 it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (e.g. in connection with the provision of financial or other professional services to you);
4.2.3 to meet our legal and regulatory obligations (e.g. to comply with anti-money laundering requirements); and
4.2.4 you have provided your consent to use your personal data (e.g. to send you marketing materials or where you complete a survey).
4.3 Special categories of personal data
4.3.1 We process special categories of personal data:
(a) if this is necessary to establish, exercise or defend legal claims;
(b) for reasons of public interest in connection with a statutory provision;
(c) with your consent; or
(d) if this personal data has been made public by you.
4.4 Criminal offences data
4.4.1 We process criminal offence data, where necessary:
(a) with your consent;
(b) where that personal data has been manifestly made public by you;
(c) in relation to legal claims;
(d) to prevent or detect unlawful acts;
(e) to comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g. to protect the public against dishonesty, to prevent fraud); and
(f) in relation to our obligations concerning suspicion of terrorist or counter-proliferation financing or money laundering.
-
WHY WE PROCESS YOUR PERSONAL DATA 5.1 We may process your personal data for the following purposes:
5.1.1 to provide, manage and personalise our services to you;
5.1.2 to manage and administer our relationship with you (e.g. communicating with you, instruction, and conflict checking, file opening, billing procedures and credit checks);
5.1.3 to facilitate our internal business operations (e.g. internal record keeping, procurement and accounting practices);
5.1.4 to conduct the recruitment process, including receiving and processing job applications and arranging interviews;
5.1.5 to establish, exercise or defend legal claims. This includes where you are the counterparty and our client is taking action against you and circumstances where claims are made against or by us;
5.1.6 as required by law and to comply with our statutory and regulatory obligations (e.g. anti-money laundering, disclosure obligations and court orders);
5.1.7 to manage complaints, take action to put matters right and to answer questions;
5.1.8 to send you marketing materials and complete any request that you may make in relation to your marketing preferences, or other preferences relating to our communications with you;
5.1.9 to promote our services and to contact you with communications about updates, newsletters and events;
5.1.10 to organise and run events that you have expressed an interest in attending;
5.1.11 to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business;
5.1.12 for information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats (e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses);
5.1.13 to manage changes to our business (e.g. if we enter into any business arrangements (such as a joint venture with a partner) or if there is a change in our ownership or we merge with another company);
5.1.14 to enter into arrangements with your employer where you are a representative for or employee from a third-party supplier that we use; and
5.1.15 for referral purposes, we maintain a database of service providers and personal data relating to other third parties such as experts for similar purposes.
-
KEEPING YOUR PERSONAL DATA SECURE 6.1 We are committed to keeping your personal data secure. We have implemented appropriate physical, electronic and operational security safeguards to prevent unauthorised disclosure or access to your personal data. We will notify you and any applicable regulator of a personal data breach relating to your personal data where we are legally required to do so.
6.2 We secure the personal data that we collect and hold about you, including by deploying encryption technology, password protection and access controls. We also require our employees to undertake training in data privacy and to follow our internal policies and procedures relating to data.
-
SHARING YOUR PERSONAL DATA 7.1 Your personal data may be shared with:
7.1.1 service providers who support the operation of our business (e.g. IT services providers, business support service providers, postal, courier and telecommunication service providers, financial institutions and other payment services providers, and providers of debt management services);
7.1.2 other third parties connected to, involved in or engaged by us to support our work (e.g. HMRC, professional advisers (including accountants, financial auditors and tax advisers), external auditors in relation to our accreditations, financial counsel, experts and witnesses);
7.1.3 law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations;
7.1.4 third parties in connection with changes to our business, such as a new owner, or merging partner; and
7.1.5 other third parties in appropriate circumstances (e.g. where we run a joint seminar/webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event)).
7.2 Some of these recipients may be acting as controllers. We will limit the personal data that we share to the minimum required for the relevant purpose and will seek to ensure that your personal data remains appropriately protected if it is shared.
-
TRANSFERS OF YOUR PERSONAL DATA OUTSIDE OF THE UK 8.1 Where we share your personal data with third parties in accordance with Section 7 (Sharing your Personal Data), those third parties may be located outside of the UK/EEA. In all cases, your personal data is handled and protected in accordance with UK data protection law.
8.2 Where we use cloud services, our data will generally be hosted within the UK or EEA. If we transfer any personal data to third parties outside of the UK, we may rely on: (a) a lawful exception to the rules relating to overseas data transfers (for example, you have given your explicit consent or it is necessary to make the transfer to fulfil our contract with you); (b) a decision from the Secretary of State (or other mechanism permitted under the UK data protection laws) determining that the country provides an adequate level of protection to the UK data protection laws; or (c) appropriate safeguards in respect of transfers of personal data to a country outside of UK (for example, by requiring the recipient of the personal data in the other country to agree to the standard contractual clauses or international data transfer agreement approved under the UK data protection law).
-
RETAINING YOUR PERSONAL DATA 9.1 Your personal data is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal data that we have in our care, and are calculated taking into account the following factors:
9.1.1 potential claims or litigation;
9.1.2 guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
9.1.3 how long we need to keep the data to fulfil the original purpose for which it was collected;
9.1.4 the nature and sensitivity of personal data; and
9.1.5 legal obligations to which we are subject.
9.2 This means that, in general, we delete personal data when:
9.2.1 the purpose for its processing has been fulfilled or the contractual relationship with our client, you or your company has ended;
9.2.2 all mutual claims have been fulfilled; and
9.2.3 there are no other legal obligations to retain the personal data nor legal bases for further processing.
9.3 Typically, we retain personal data in client files for 7 years after the completion of the matter, unless there are specific circumstances compelling us to retain the client files for a longer period. For example, if you tell us that you do not want to receive marketing communications from us, we will keep a record of this for a longer period of time.
9.4 In some circumstances you can ask us to delete your personal data. Please see below for more information about your right to erasure. We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes.
-
YOUR RIGHTS 10.1 You have certain rights relating to your personal data. These include the right to:
-
Information: A right to be informed about the personal data we hold about you.
-
Access: A right to access the personal data we hold about you.
-
Rectification: A right to require us to rectify any inaccurate personal data we hold about you.
-
Erasure: A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):
-
we no longer need to use the personal data to achieve the purpose we collected it for;
-
where you withdraw your consent if we are using your personal data based on your consent; or
-
where you object to the way we process your personal data.
-
-
Restriction of processing: In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):
-
you dispute the accuracy of the personal data held by us;
-
where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead; or
-
where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims.
-
-
Data portability: In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
-
Objection: A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims.
-
Automated decision-making and profiling: A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not carry out any automated processing or profiling.
-
Withdrawal: A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with marketing and newsletters).
10.2 We encourage you to contact us if you have any questions, comments or concerns about how we handle your personal data. Please contact us at info@kinbrook.co.uk.
10.3 The UK data protection law also gives you the right to lodge a complaint with the data protection supervisory authority for the UK which is the Information Commissioner’s Office (ICO). You can contact the ICO using the details set out below:
Data Protection Supervisory Authority: Information Commissioner’s Office
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113