DATA PROTECTION PRINCIPLES:
KRPM Business Solutions Limited follows six principles when dealing with your personal data. We will ensure it is:

processed lawfully, fairly and in a transparent manner; processed for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and kept up-to-date; kept for no longer than is necessary; and processed in a manner than ensures appropriate security. We operate these principles alongside our duty of confidentiality to you.

2. SCOPE
This policy applies to our processing of personal data for individuals other than: KRPM Business Solutions Limited employees. Our website contains links to other external websites. Clicking on these links may allow third parties to collect or share data about you. We have no control over these external websites or responsibility for the privacy policies they operate.

3. DEFINITIONS
Personal data is information that can be linked to a living individual. A data controller can be an individual or an organisation. They decide what personal data to collect and how it will be used. Processing data includes collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, aligning, combining, restricting, erasure or destruction of data.

4. DATA CONTROLLERS
This policy is provided on behalf of the following firms and individuals who are registered as data controllers with the Information Commissioner’s Office (ICO):

• KRPM Business Solutions Limited for our accountancy practice clients.

The above firm and individuals are referred to collectively as ‘KRPM Business Solutions Limited’, ‘us’ or ‘we’ in this policy.

5. CONTACT DETAILS
For data protection queries and to exercise your rights, you can contact us in these ways:

• Post: Privacy queries, KRPM Business Solutions Limited: Little Bursdon, Hartland, Bideford, EX39 6HB
• Telephone: 01237 440094
• Email: Our email address for data protection matters is info@krpm.co.uk

KRPM Business Solutions Limited Data Protection Officer is Richard Parsons Mason.

6. WHAT WE USE YOUR PERSONAL DATA FOR
Our website www.krpm.co.uk provides an indication of the services we provide. We will use your personal data for the purpose of providing these services. In addition, we may use it for the purpose of direct marketing and for other legitimate business interests. When we issue a letter of engagement or other client agreement to you, this also outlines the purpose for which we process your personal data. Where we judge the purpose to have changed, we will issue a further engagement letter or other documentation to reflect this.

7. OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
KRPM Business Solutions Limited must have a lawful basis to process your personal data. More than one lawful basis may apply to the processing of the same personal data. These are the bases for which we require the use of your data:

• a. Contractual: The processing is necessary for a contract we have with you as an individual, or because you have asked us to take specific steps before entering into a contract with us.
• b. Legal obligation: The processing is necessary for us to comply with the laws or regulations we are subject to (not including our contractual obligations).
• We would be unable to provide our services to you if you did not provide or we were unable to process your personal data under these lawful bases.
• c. Legitimate interests: We also undertake processing in our legitimate interests or the legitimate interests of a third party. We check beforehand that this processing is not going to override your rights and interests.

Processing your personal data in the above ways can include sharing your personal data with relevant third parties, where we would otherwise be unable to provide our services to you. For example, we need to share your personal data with product and service providers to obtain quotes so we can provide financial planning advice, along with undertaking related administration and management activity.

We rely on legitimate interests to allow us for example, to: communicate with you, your employer or other relevant party; provide the services requested by our corporate clients, which may include your employer; undertake administration and management; send you direct marketing; administer our website, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; improve our website to ensure that content is presented in the most effective manner for you and for your computer; part of our efforts to keep our website safe and secure; measure or understand the effectiveness of advertising via our website that we serve to you and others, and to deliver relevant advertising to you; make suggestions and recommendations to you and other users of our website about services that may interest you or them; allow you to participate in interactive features of our website or services, when you choose to do so; carry out management planning, modelling and internal analysis; enhance and develop our services; undertake benchmarking activity; establish, exercise or defend legal claims.


• d. Consent: We use the lawful basis of consent in some circumstances. For example, we may seek consent from you to share your personal data with other parties, which are not identified under the other lawful bases we use.

We do not need to ask you to consent to the use of cookies when using our website, as our site has no data collection or cookies in place. We are not responsible for 3rd party cookies used by google when using the Maps feature on our contact page. More information about cookies can be found in section 10 of this policy, along with how to withdraw your consent.

8. THE PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS
Where we request your consent for direct marketing by email or text, this is governed by the Privacy and Electronic Communications Regulations (PECR). You can withdraw this consent at any time via our preference centre or by contacting us using any of the contact details at the beginning of this policy.

9. CATEGORIES OF PERSONAL DATA
We deal with two kinds of personal data as defined under the legislation.

• a. Personal data
  
  This is information that can be linked to a living individual. The exact kinds of personal data we collect and use will vary according to the service we are providing, the purpose, and the legal basis for the data processing. We may send you a list of the information we need to carry out the services you have requested. That list will include personal data.


• b. Special category data (also referred to as sensitive personal data)
  
  Although often described as information about your health, this category of data also covers personal data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation and health, along with genetic data and biometric data.
  
  As well as needing a lawful basis, we must follow an additional rule (processing condition) to process special category data. KRPM Business Solutions Limited most often uses the following processing conditions:
  
  Where you have given your explicit consent for us to use it. You can withdraw this consent at any time, by contacting us using any of the contact details in section 5 of this policy. Without this consent we may be unable to advise you in part or in full, or provide services which require this information to be used. We may also be unable to meet your requirements when attending a meeting, seminar or other event we have arranged; Where we need to use this data for the establishment, exercise or defence of legal claims; and Where such data has been manifestly made public by you. We will, therefore, largely be unable to process special category data provided by corporate clients about individuals associated with them.

We process personal data for different groups of individuals, for example:

Contacts
Clients
Business points of contact or representatives
Employees, contractors and temporary workers
Consultants and advisers
Suppliers
Service users
Pension scheme members
Shareholders
Family, spouses and children

We do not market our services to children. However, we may need to hold personal data about children to provide services to others, usually their parents, custodians or carers.




10. COOKIES
Our website does not use cookies.





11. PERSONAL DATA OBTAINED DIRECTLY FROM YOU
KRPM Business Solutions Limited obtains personal data from individuals directly when they, for example:

enquire about any of the services we provide;
sign up via our preference centre or by other means to receive marketing material from us;
negotiate or enter into a contract or client agreement with us to provide a service;
provide us with information connected with the contract or client agreement;
correspond with us via our website, by phone, e-mail or otherwise;
participate in meetings, seminars or other events we arrange;
give us a business card;
fill in forms on our website and submit information to us;
participate in other social media functions on our website or enter a competition, promotion or survey;
report a problem with our website;
visit our offices; or
use the wi-fi network in our offices.






12. OTHER SOURCES OF DATA AND WHO WE SHARE YOUR PERSONAL DATA WITH
Depending on the nature of the service we provide, the lawful basis and purpose of processing, we may need to share your personal data between the KRPM Business Solutions Limited data controllers listed at the beginning of this policy and other parties (examples listed below). These parties are subject to data protection legislation and principles. We will usually have notified you of the sharing of your data with these parties. However, certain legislation may prevent us from doing so. Many of these parties both receive personal data from us and provide it to us:

analytics providers
providers of technical, payment and delivery services
providers of business sector information and datasets (where they have obtained the data from publicly-available sources and surveys individuals have completed)
social media sites, including those associated with our fundraising activities
Companies House, HM Revenue & Customs, other Government agencies and departments, including the Care Quality Commission and NHS
law enforcement agencies and courts
solicitors, accountants, auditors and other professional advisers
agents and representatives
banks and other financial institutions
life insurance and pension providers
credit reference and fraud prevention agencies
providers of credit reference or fraud prevention services
our debt-tracing and recovery agency
marketing and social event organisers and venues and websites
online analytic and search engine providers
members of our business networks (normally where explicitly asked for by you)
industry bodies we are associated with (where we have been asked to undertake benchmarking and other analysis on behalf of their membership)
our regulators and governing bodies
quality assurance assessors and other business consultants
our insurers
parties associated with Corporate Finance transactions, or their advisers
data processors
Through our research we may also obtain information from publicly-available databases, such as Companies House or details on a company website.

Furthermore, we will disclose your personal information:

in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about customers will be one of the transferred assets;
if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of KRPM Business Solutions Limited, our clients, or any other third parties.








14. DATA PROCESSORS
Where we are appointing any individual or organisation to process your personal data on our behalf (otherwise known as ‘data processors’), they may only do so for specified purposes and according to our written instructions. KRPM Business Solutions Limited seeks confirmation of the processor’s IT security arrangements and whether personal data is processed outside the European Union.





15. TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
KRPM Business Solutions Limited is located in the UK. You can find details of our office locations on our website. Where possible, we or our appointed data processors will process your personal data within the European Union (EU). If your personal data does need to be transferred outside the EU, we ensure appropriate safeguards are in place to ensure that your data is properly looked after. We ensure personal data is adequately protected and take into account: where the European Commission has decided that a country, a territory or one or more specific sectors in a country, or an international organisation, ensures an adequate level of protection. This currently includes the US privacy shield framework. other safeguards available to us under data protection legislation.





16. KEEPING YOUR PERSONAL DATA SECURE
We operate a series of security measures concerning access to our offices and our systems. The level and extent of each individual measure may vary, but can include, for example:

access controls to buildings, systems and, where appropriate, individual IT applications;
anti-virus and malware prevention;
breach logging;
encryption;
equipment/access logs;
arranging back-up copies of personal data; and penetration testing, system monitoring and system updates (e.g. patching).
For applications running on our in-house systems, we operate a back-up facility as contingency.

The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.





17. HOW LONG WE KEEP YOUR PERSONAL DATA
The timescales for the retention of your personal data and related documentation are subject to various legal, regulatory or contractual requirements, which will reflect the purpose and lawful basis for processing the data.

Where you have told us you no longer wish to receive our direct marketing, we need to retain a record of this indefinitely. We keep a minimum amount of your personal data in order to maintain our marketing opt-out lists.





18. YOUR RIGHTS
Data protection legislation provides the following legal rights for individuals:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
You can exercise your rights at any time by contacting us using any of the contact details in section 5 of this policy. More information is available from the Information Commissioner's Office website https://ico.org.uk/

Some rights can only be exercised under certain circumstances. If we are unable to comply with your request for any reason, we will contact you to explain our reasoning.

Your rights under data protection legislation: download pdf







19. COMPLAINTS
KRPM Business Solutions Limited aims to deal efficiently with any query or to resolve any complaint you might have about how we handle your personal data.

Your right to complain

If you consider we have processed your data in a way that infringes the legislation, you have the right to complain to the Information Commissioner’s Office. Their contact details are:

https://ico.org.uk/
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) 01625 545 745 (national rate)






20. CHANGES TO THIS PRIVACY POLICY
The content of this privacy policy was compiled using guidance provided by the Information Commissioner’s Office (ICO) at the date of its publication. The policy takes into account the General Data Protection Regulation (GDPR).

Subsequent changes to the policy may occur due to changes in the ICO’s guidance. Each version of the policy will be uniquely referenced.





21. MORE INFORMATION
Information Commissioner’s Office website https://ico.org.uk