This policy, which takes into account new requirements under GDPR and requirements of the Privacy and Electronic Communications Regulations 2003 updated 2004 and 2011 (PECR), applies to the following legal entities:
- George Hay, which is the trading style of George Hay Partnership LLP. George Hay Partnership LLP is registered in England and Wales (OC373025). Registered office: Brigham House, High Street, Biggleswade, Bedfordshire, SG180LD.
- GH Online Accounting Limited – registered in England and Wales (3829902). Registered office: Brigham House, High Street, Biggleswade, Bedfordshire, SG180LD.
- GH Probate Limited – registered in England and Wales (9630102). Registered office: St George’s House, George Street, Huntingdon, Cambridgeshire, PE293GH.
For the purposes of this policy, the above entities will be referred to as ‘George Hay Entities’.
More information about how we treat client data can be found in our terms of business, here.
Glossary of Terms
“Personal Data” – relates to any information about a natural persons that makes them identifiable either directly or indirectly, which may include (but is not limited to):
- Names and contact information i.e. emails and telephone numbers
- National Insurance Numbers
- IP address
“Special category data” – refers to more sensitive personal data such as:
- Medical conditions
- Religious or philosophical beliefs and political opinions
- Racial or ethnic origin
- Biometric or genetic data
“Data controller” – refers to the person or organisation who decides the purposes for which and the way in which any personal data is processed.
“Data processor” – refers to a person or organisation which processes personal data for the data controller.
“Data processing” – refers to any operation or set of operations performed upon personal data or sets of it, be it by automated systems or otherwise.
Business to Business – refers to the business supplying to or communicating with any of the following; PLC, LTD, LLP incorporated partnerships, trusts and foundations, local authorities and government institutions.
Business to Consumer – refers to the business supplying to or communicating with any of the following; Private clients, sole traders, unincorporated partnerships, trusts and foundations.
What data do we collect?
The information we hold about you may include, but not be limited to:
- Personal data (i.e. name, home or service address, email address, national insurance number, telephone number, date of birth, gender)
- Details of our previous correspondence and communications with you
- Details of the service/s we have provided you with, or if you are a supplier to the George Hay Entities, of the goods and/or service/s you have supplied us with
- Financial information relating to our clients, employees or customers of our clients
- Information obtained from research, surveys, complaints, general enquiries and/or other marketing pursuits
- Information provided to us from other sources – i.e. your employer, our clients, HMRC or other professional bodies, organisations and institutions
- Employment details, where these are required for the services we provide to you or where you are an employee of the George Hay Entities
How do we collect data?
We collect your personal data when:
- you subscribe to our mailing list;
- you register to attend an event via a booking form on our website;
- you fill in the contact form on our website, call or email us to request a proposal or tender in respect of the services we provide;
- you engage our services, and also in the provision of those services to you;
- you communicate with us via post, telephone or email;
- you provide a member of our team with a business card, or contact details in the course of networking or at a business event;
- you are referred to us by an existing client, professional contact or a member of staff;
- you apply for a vacancy with the George Hay Entities, or submit your CV to us either directly, or via an agency.
We may also collect personal data from third party, or public domain sources, when we believe you may be interested in the services we provide. Where this is the case, you can easily opt-out of further communication by emailing email@example.com.
How do we process/use your data?
The following are ways in which we may process your data:
- for the purposes necessary for the performance of our contract with you/our clients and in order to comply with our legal obligations (i.e. to prevent money laundering or fraud);
- for the purposes of our own legitimate business interests, provided your own interests and rights do not override these (including marketing and business development);
- for certain additional purposes, where your express consent has been given to do so.
Please note, we may utilise more than one lawful basis to process personal data. The lawful basis will be informed by our reason for processing.
If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you, or to comply with our legal obligations.
Visitors to the ‘George Hay Entities’ websites
When you provide personal data to us, via the George Hay Entities websites, we collect the minimum amount of information to enable us to deal with your request.
We will indicate where the provision of information is voluntary or compulsory. We only request additional information where it is necessary to enable us to provide the most appropriate response.
When submitting forms on our website we use a third-party software provider for data collection and processing purposes. They will not use your data for any other purposes and will only hold the data in line with our policy on data retention.
Where we have your consent, we may also use the contact details you provide to share updates with you about our services and other business-related news and issues that we believe may be of interest.
Existing/former clients of the ‘George Hay Entities’
If you are an existing B2B or B2C client of the George Hay Entities, we will collect and process your data as dictated by our contract with you, in order to deliver the services you have engaged us to provide, to comply with our legal and regulatory obligations and where we have a legitimate business interest to do so (for example, in the course of managing and developing our business or the service we provide to you, or in the course of security and risk management activities).
We may lawfully process your data for the purposes of sending you information that we believe may be of interest to you, or that you may benefit from, on grounds of legitimate interest and utilising the soft opt-in approach approved by the ICO. This includes our regular industry updates and business insights emails, newsletters, event invitations and information about the other services that we offer.
If you have previously unsubscribed, or subsequently unsubscribe from these communications, your data will no longer be processed for this purpose but will still be stored and processed where we are contractually/legally obliged to do so.
Where we deem that you would be at a severe disadvantage if you did not receive a particular update, and there is no other way to reach you, you may receive communication from our firstname.lastname@example.org email address, even if you have previously unsubscribed This does not affect your marketing preferences otherwise.
If you would like to update your marketing preferences with us, to ensure you receive updates that are pertinent your business activities, email email@example.com.
In order to ensure our database is always up to date, we may also prompt you to update your preferences with us, during the course of our usual business activities.
Marketing & Business Development activities
As an organisation that provides services to businesses (as well as individuals), we may collect, store and process the data of businesses (and/or the decision maker/s associated with those businesses) that we believe may be interested in our offering.
Where business development and prospecting activities are concerned, the George Hay Entities will rely on ‘legitimate interests’ as the lawful ground for processing. We abide by both the PECR and GDPR guidance, when undertaking B2B business development activities.
We restrict the data we collect to that required to contact a data subject within the business environment. For the most part, this will be business-related data; company name, job title, accounting year-end, turnover, business address, corporate subscriber’s email address/addresses. The personal data that we collect, process and store for the purposes outlined above is limited to first name, last name.
The data collected will be used to communicate, via email, telephone or post, with data subjects about George Hay’s services. Where possible, communications will be directed to the person identified as having the most relevant job role within the business.
If you have previously opted out of marketing communications, we will not contact you. You have the right to object to our correspondence at any time, and you will be provided with the means to do so in any message we send.
The retention period for any personal data that we process is in accordance with legal, regulatory and contractual requirements. We will only retain your personal data for as long as is necessary, to fulfil the purposes for which it was collected.
Where you are an existing or former client of the George Hay Entities, and in the absence of specific legal, regulatory or contractual requirements, our retention policy period for records and other documentary evidence created in the provision of services is seven years.
Sharing data with other organisations/data processors
Our work for you may require us to pass your information to a third-party service provider, agent, subcontractor or other associated organisation for the purposes of pursuing our legitimate business interests or providing the services you have requested from us.
When we use a third-party service provider, we disclose only the personal information that is necessary for the activity. We have contracts in place that require them to store and process and dispose of your information securely, and not to use it for their own direct marketing purposes. We only permit third-party service providers to process your data in accordance with our instructions.
We will not share your information for marketing purposes with any person or companies so that they may offer you their own products and services.
Keeping your data safe
When you provide us with personal information, we take steps to ensure that it is stored and processed securely.
Information transmitted via the internet can never be guaranteed to be 100% secure, and so you transmit information to us in this way at your own risk.
Where we have given (or where you have chosen) a password which enables you to access either our client portal or a document, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
In the limited instances where you may have given your consent for us to send you marketing emails and other promotional material, you have the right to withdraw your consent at any time. We include an unsubscribe option in every communication we send, but you can also withdraw your consent by emailing firstname.lastname@example.org.
Access to your information, correction, portability and deletion
Subject access request – This is your right to request a copy of the information that we hold about you. If you would like a copy of some or all your personal information, please write to us at the following address: The Partner responsible for GDPR, George Hay Partnership LLP, Brigham House, High Street, Biggleswade Bedfordshire SG18 0LD or email us at email@example.com. We will respond to your request within one month of receipt and may ask you to provide proof of identity before information is released.
Correction – It is important that the information we hold about you is kept up to date. If your details change, it is your responsibility to notify us accordingly. You may ask us to correct or remove information you think is inaccurate by emailing firstname.lastname@example.org or writing to the above address.
Objections to processing of personal data – It is your right to lodge an objection to the processing of your personal data, where the lawful basis we are relying upon is ‘legitimate interests’. We will refrain from processing until such time as the issue you raise is resolved or we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms. We may also deny your request if the processing is for the establishment, exercise or defence of a legal claim.
Data portability – It is also your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if the processing is based on consent or on a contract, and the processing is carried out by automated means.
Your right to be forgotten – You can request erasure of your data where we have no good reason to continue to process it. Should you wish for us to completely delete all information that we hold about you, your request should be made in writing to: The Partner responsible for GDPR, George Hay Partnership LLP, Brigham House, High Street, Biggleswade Bedfordshire SG18 0LD or via email to email@example.com. We will consider and respond to your request within one month. If we receive multiple requests from the same individual or a request is particularly complex, under GDPR legislation we can extend the response time by a further two months.
If you feel that your personal data has been processed in a way that does not abide by the regulations set out under the PECR or GDPR, you can raise your concerns with the Information Commissioner’s Office (ICO).
- by email: firstname.lastname@example.org
- by post: The Partner responsible for GDPR, George Hay Partnership LLP, Brigham House, High Street, Biggleswade Bedfordshire SG18 0LD.