The Hallidays Xeinadin Group website: http://www.hallidays.co.uk is maintained by Xeinadin Group Limited – Registered Office: 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD; Registered Number – 11354408. Registered in England and Wales.
You can contact us on +44 203 086 8677 or write to us at email@example.com
The purpose of this Privacy Notice is to clarify to you how Xeinadin Group Limited manages your data in line with GDPR and other data protection regulations. Xeinadin Group is obligated by law to safeguard any personal information that we hold or process and this Privacy Notice outlines the necessary actions that we take to accomplish this. All information processed by us, whether handled via our website or within our internal processes is handled lawfully in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 (as amended from time to time).
What is Personal Data?
In this Privacy Notice and in our communication with you, the terms ‘personal data’, ‘personal information’ or ‘personally identifiable information’ may be used interchangeably. In all circumstances, and as defined by GDPR, personal refers to “any information relating to an identified or identifiable natural person (‘data subject’)”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Our lawful basis for collecting your personal data:
As per the UK & EU GDPR requirements, it is mandatory for us to identify a lawful basis that justifies the requirement for processing personal data, necessary to a specific purpose. As a group of accountancy firms, it is usually necessary for us to process your data for the purpose of fulfilling our contract with you. This lawful basis is regarded as the contractual basis for processing.
There are other lawful bases, which include:
- Your consent
- We have a legal obligation to process your data
- We process your data for your vital interest (to save your life)
- We need to process your data to perform a public task
- We have a legitimate interest for processing your data
We will process your personal data only in line with the lawful basis for which we collect it, unless we have reasonable grounds to believe that it is for a similar purpose that is compatible with the original lawful basis.
The Lawful Basis of Consent:
If we have used your ‘consent’ as our lawful basis for processing of your data, then it must have been given by you freely, specifically, on an informed basis, and with a clear affirmative action (you opted in). You have the right to withdraw your consent at any time by emailing firstname.lastname@example.org or calling us on +44 203 086 8677. Once you withdraw your consent, we will immediately cease processing your data. However, please be aware that this may also result in us being unable to provide our services to you any further.
Your information will be retained for as long as your consent is not withdrawn and the purpose for which the information was collected remain valid. To ensure that your consent remains valid, we will contact you every twelve (12) months to review your consent and request that you provide fresh consent for a further twelve (12) months.
What types of personal data do we collect?
As a group of accountancy companies, we frequently require personal and financial data in line with the requirements stemming from general accountancy services. We regularly gather and handle the following information to facilitate our services:
- First Name
- Last Name
- Address and Postcode
- Email Address
- Phone Number
- Bank Details
- Government ID
- Pay Slips and Bank Statements
- Tax Returns and other Historic Financial Reports
- National Insurance Numbers
- Criminal Offence Data (where disclosed)
- Other relevant information
In the case of criminal offence data, the considerations of Articles 9 & 10 of UK GDPR and Schedule 1 of the Data Protection Act (DPA) 2018 are documented. In the case of Xeinadin, the ‘Consent’ Condition 29 of Schedule 1 of the Data Protection Act has been identified for the processing of such data, which only occurs when it is freely given, specific, informed, affirmative and unambiguous in the interest of securing accountancy services, as requested by the data subject.
Throughout the provision of our service, we ‘may’ potentially gather additional information from you directly in order to progress our services.
How do we get your information and why do we have it?
Xeinadin Group typically receives information from customers on a voluntary basis to assist with our services. To establish a contractual relationship with you, we need to gather and handle your information. Your information is typically processed to perform various accountancy functions, such as (but not limited to):
- Financial Statement Preparation
- Tax Preparation and Planning
- Payroll Processing and Reporting
- Business Advisory Services
- Budgeting and Forecasting
- Management Accounting
- Take a service payment from you
Your personal information may be collected through several various channels such as phone calls, paper evaluation forms and our website portal. After receiving your information, it is uploaded to our secure client management software. Once we have completed our contract with you, your information is deleted in line with our data retention schedule (outlined further on).
How we handle your data:
Xeinadin Group, in its role as both data controller and data processor, is obligated to follow the data processing principles outlined in the General Data Protection Regulation. By processing your personal information in line with the below principles, Xeinadin Group is able to facilitate your rights, lawfully handle and safeguards your data.
The principles that Xeinadin abide by are:
The Principle of Lawfulness Fairness and Transparency – We only collect and process Personal Information in a way that is lawfully, fair, and transparent to you
The Principle of Accountability – We take responsibility for what we do with your personal data and how we comply with the other principles and are able to demonstrate our compliance
The Purpose Limitation Principle – We only process your personal information for specified, explicit and legitimate purposes
The Data Minimisation Principle – The personal data collected that we process is adequate, relevant, and limited to what is necessary
The Data Accuracy Principle – We ensure that the data we process is accurate and, where necessary, kept up to date
The Storage Limitation Principle – We only keep personal information in a form which permits your identification no longer than is necessary
The Integrity & Confidentiality (security) Principle – We ensure that we appropriately secure your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Xeinadin Group are committed to ensuring the security and protection of your personal information as we understand that a breach of your information may cause undue stress, worry and in extreme cases may impact your rights and freedoms. To prevent such incidents, appropriate security measures in place to limit accidental loss, unauthorised access, alteration or disclosure of your information.
We use several organisational measures to limit access to your personal data to only the employees, and other third parties who have a business ‘need to know’. Personal data is shared with third parties only when necessary for the provision of services. When doing so, we ensure that third parties have the appropriate security in place and that they are subject to a duty of confidentiality.
In the unlikely event of a data breach, we follow procedures set out by the Information Commissioners Office (ICO) to investigate and handle the breach transparently and ethically. Should our data breach investigation process determine that the breach may result in an impact to your rights and freedoms, we will notify you and the ICO where we are legally required to do so.
International & Third-Party Data Transfers:
The information that you provide may be shared with trusted third parties for purposes that align with our purpose for processing, and to deliver our services to you. Our trusted third parties are based in the United Kingdom (UK) and may include banks and financial institutions, tax authorities, regulatory bodies, and legal professionals, among others. We do not knowingly transfer any personal data beyond the borders of the United Kingdom (UK) or European Economic Area (EEA). If it is determined that there is a need to transfer personal information outside of the UK or EEA in future, then we would inform you of the requirement and ensure that the appropriate safeguards are in place, as required by the European Commission.
How long do we keep your data?
His Majesties Revenue and Customs (HMRC) has published Codes of Practice which stipulate that, by law, accountancy firms must keep personal records for a period of six years from the end of the accounting period to which they relate. However, some records may be required to be kept for a longer period in relation to money laundering regulations. Xeinadin Group maintains copies of your personal data in line with such stipulations, however, unless otherwise stipulated, all data is deleted six years from the end of the accounting period.
Your data rights:
Both the UK & EU General Data Protection Regulation give you seven rights in relation to your data. It is important that you understand your rights and for that reason, we have listed them below:
- The right to access – the right to access copies of personal information.
- The right to rectification – the right to ask organisations to rectify information that isn’t correct.
- The right to erasure – the right to have personal information erased in certain circumstances.
- The right to restriction of processing – the right to have processing of personal data restricted in certain circumstances
- The right to object to processing – the right to object to having data processed in the first place or by a specific means.
- The right to data portability – the right to have information transferred from one organisation to another or be given to the data subject directly.
- Rights relating to automated decision making and profiling – the right to challenge the use of automated processing & decision making
Please note that not all rights are absolute. There may be certain circumstances we are unable to facilitate the exercise of your right(s) due to certain allowed exemptions. Should this be the case, then we will explain the exemption reason to you in our response.
Exercising your rights – the SAR process:
Access to personal data is the first step to exercising your rights. By exercising your right to access, you are able to receive a copy of all the personal information held about you by Xeinadin Group. This allows you to understand why your data is being used and to verify that it is being used in accordance with the law. The right to access is exercised by submitting a Subject Access Request (SAR) to the organisation. You can submit a SAR verbally, by speaking to us on the phone or in person, or in writing, including on social media platforms. It is not necessary to use the term “Subject Access Request”; you can simply ask for a copy of your personal information. If you wish to make a written SAR directly to us, you can do so by sending an email to email@example.com or via letter to Xeinadin Group Limited, 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD.
After receiving your request, we will need to verify your identity before providing you with a copy of your personal data. We will respond to your request within 30 days. Subject Access Requests are typically free of charge. However, if your request is deemed by our data protection manager to be manifestly unfounded or excessive, we may charge a reasonable fee to cover the administrative costs involved.
Information collected while using our website, including Cookies:
Upon visiting the Xeinadin website, certain information is collected from your internet browser for statistical purposes using cookies. These are small text files that are stored on your computers hard drive through your browser. Cookies do not contain any personal information about users but allow us to distinguish you as a separate entity and monitor your actions on our site. Once you close your browser, the cookies are automatically removed.
To find out more about cookies, please visit: http://www.allaboutcookies.org
We keep track of our website traffic in Google Analytics. Through this way, we analyse the performance of our website, and we’re able to see the effect of our marketing actions. Google Analytics registers, among others:
- What is the source site of your visit?
- How long did you stay on our website?
- Which pages do you visit?
- Which device/operating system/browser do you use?
- Which forms do you fill?
When legally obliged, Google might share this information with third parties. If third parties process the information, Google might also share this information. We signed a data processing agreement with Google and forbade Google to use the obtained information for any other of their services.
No personal data is collected or saved in Google Analytics. The data will not be shared with third partners unless legally obliged
How to complain:
If you have any concerns about the way in which we handle your personal information, you can make a complaint to us at firstname.lastname@example.org or via letter to: The Data Protection Manager, Xeinadin Group Limited, 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD.
You also have the right to complain to the Information Commissioners Office, which is the United Kingdom’s data protection regulator if you are unhappy with how we have handled your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk