Privacy Statement

Privacy Statement

ABOUT US AND THE PURPOSE OF THIS NOTICE

I D Bowen & Co., Chartered Accountants and Registered Auditors (“we", “us”, “our” and “ours”) is an accountancy and tax advisory firm whose sole principal is Mr Ian Bowen LLB., ACA. Our principal place of business is situated at 19 Alexandra Road, Gorseinon, Swansea, SA4 4NW.

This notice will tell you how we look after your personal data, about your privacy rights, and about our compliance with and your protections under Data Protection Legislation.

In this notice “Data Protection Legislation” means any applicable law relating to the processing, privacy, and use of Personal Data, including the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020. 

For the purpose of the Data Protection Legislation and this notice, we are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.

We have appointed a data protection manager who is our Data Protection Point of Contact and is responsible for assisting with enquiries in relation to this privacy notice or our treatment of your personal data. Should you wish to contact our Data Protection Point of Contact you can do so using the contact details (Contact Us), below.
This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights.  It applies to personal data provided to us, both by individuals themselves or by others.  We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Personal data is any information relating to an identified or identifiable living person.  When “you” or “your” are used in this statement, we are referring to the relevant individual who is the subject of the personal data. We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data.  To find out more about our specific processing activities, please go to the relevant sections of this statement.

Our processing activities

Security

We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.  

When and how we share personal data and locations of processing

We will only share personal data with others when we are legally permitted to do so.  When we share data with others we do so through contractual arrangements and have security measures in place to protect the data and to comply with our data protection, confidentiality and security obligations.

We will not transfer the personal data we collect about you outside of the EEA.

Personal data held by us may be transferred to:

•    Third party organisations that provide applications, data processing or IT services to us

We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems.  For example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services.  The servers powering and facilitating that cloud infrastructure are located in secure data centres and personal data may be stored in any one of them. Where the third party is based in a country outside the EU the servers providing cloud based services are located within the EU.

Details of these providers is set out below:

Name                                      Role                                                 Address

Microsoft Limited                    Software and cloud services           Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, UK
Ionos                                          Email and web-hosting                    Aquasulis House, 10-14 Bath Road, Slough, SL1 3SA, UK
Computastore Limited           Software services                              31 Thomas Street, Manchester, M4 1NA,UK

•    Third party organisations that otherwise assist us in providing goods, services or information

We may engage or otherwise work with other providers to helps us provide professional services to our clients.

•    Our clients

Where we need to process personal data to provide professional services to our clients, we may share personal data in our end products such as the reports we produce. 

•    Other professional advisers

Our policy only addresses the use and disclosure of information we collect from you. To the extent you disclose your information to other parties or sites throughout the internet, different rules may apply to their use or disclosure of the information you disclose to them. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party that you choose to disclose information to. 

This Privacy Policy does not apply to the practices of companies that we do not own or control, nor to individuals whom we do not employ or manage, including any of the third parties which we may disclose information to as set out in this Privacy Policy. 

•    Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights.  We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Changes to this privacy statement

This privacy statement will be kept under regular review. Any changes we may make in the future will be provided to you by updating our website at www.idbowen.co.uk. 

This privacy notice was last updated on 14 January 2024

Other data subject rights

 We are generally controllers for the personal data we process, however, we may provide some services, such as payroll services, as a processor (in which case our client is the controller).  If you have any questions about this privacy statement or how and why we process personal data please use the contact details below

Individuals’ rights and how to exercise them

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights.  

Individuals’ rights may include the right of access to personal data, to rectification of personal data, to erasure of personal data, to restrict processing of personal data, to object to processing of personal data, to data portability, the right to withdraw consent at any time (where processing is based on consent) and the right to lodge a complaint with a supervisory authority.

Further information about the rights that individuals have and how to exercise them is set out below.

Your right of access to personal data

You have the right to obtain confirmation as to whether we process personal data about you, receive a copy of your personal data held by us as a controller and obtain certain other information about how and why we process your personal data. This right may be exercised by emailing us at GDPR@idbowen.co.uk. We may charge for a request for access in accordance with applicable law.  We will aim to respond to any requests for information promptly, and in any event within the legally required time limits.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Your right to amendment of personal data

You have the right to request for your personal data to be amended where it is inaccurate (for example, if you change your name or address) and to have incomplete personal data completed.

To update personal data submitted to us, you may email us at GDPR@idbowen.co.uk.

When practically possible, once we are informed that any personal data processed by us is no longer accurate, we will make corrections (where appropriate) based on your updated information.

Your right to erasure 

You have the right to obtain deletion of your personal data in the following cases:
  • the personal data are no longer necessary in relation to the purposes for which they were collected and processed;
  • our legal grounds for processing is consent, you withdraw consent and we have no other lawful basis for the processing;
  • our legal grounds for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to our processing and we do not have overriding legitimate grounds;
  • you object to our processing for direct marketing purposes;
  • your personal data have been unlawfully processed; or
  • your personal data must be erased to comply with a legal obligation to which we are subject.
To request deletion of your personal data, please email us at GDPR@idbowen.co.uk.

Your right to restrict processing

You have the right to restrict our processing of your personal data in the following cases:
  • for a period enabling us to verify the accuracy of your personal data where you have contested the accuracy of the personal data;
  • your personal data have been unlawfully processed and you request restriction of processing instead of deletion;
  • your personal data are no longer necessary in relation to the purposes for which they were collected and processed but the personal data are required by you to establish, exercise or defend legal claims; or
  • for a period enabling us to verify whether the legitimate grounds relied on by us override your interests where you have objected to processing based on it being necessary for the pursuit of a legitimate interest identified by us.
To restrict our processing of your personal data, please email us at GDPR@idbowen.co.uk.

Your right to object to processing

You have the right to object to our processing of your personal data in the following cases:
  • our legal grounds for processing is that the processing is necessary for a legitimate interest pursued by us or a third party; or
  • our processing is for direct marketing purposes.
To object to our processing of your personal data, please email us at GDPR@idbowen.co.uk.

Your right to data portability

You have a right to receive your personal data provided by you to us and have the right to send the data to another organisation, or ask us to do so, where our lawful basis for processing the personal data is consent or necessity for the performance of our contract with you and the processing is carried out by automated means.

To exercise your right to data portability, please email us at GDPR@idbowen.co.uk.

Withdrawal of consent

We do not generally process personal data based on consent as we can usually rely on another legal basis such as contractual obligation.  In the limited circumstances where we process data based on consent you have the right to withdraw consent at any time.  To withdraw your consent, please email our data protection point of contact Mr Ian Bowen at GDPR@idbowen.co.uk.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

How to contact us

If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please email our Data Protection Point of Contact Mr Ian Bowen at GDPR@idbowen.co.uk or telephone him on 01792 897035.

Complaints

If you do want to complain about our use of personal data, please send an email with the details of your complaint to GDPR@idbowen.co.uk.  We will look into and respond to any complaints we receive.

You also have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone - 0303 123 1113 (local rate) or 01625 545 745

Share by: