1 Data protection
1.1 To enable us to discharge the services agreed in this engagement letter, comply with related legal and regulatory obligations and for other related purposes including updating and enhancing client records and analysis for management purposes, as a data controller, we may obtain, use, process and disclose personal data about [you / your business / company / partnership / its shareholders / members / officers and employees] as described in our privacy notice. We confirm when processing data on your behalf that we will comply with the provisions of all relevant data protection legislation and regulation1.
1.2 You are also an independent controller responsible for complying with data protection legislation and regulation in respect of the personal data you process and, accordingly where you disclose personal data to us you confirm that such disclosure is fair and lawful and otherwise does not contravene relevant requirements. Nothing within this engagement letter relieves you as a data controller of your own direct responsibilities and liabilities under data protection legislation and regulation.
1.3 Our privacy notice,which can be found on our website at www.jrcoaccountants.com as set out in a separate to these terms of business explains how we process personal data in respect of the various services that we provide.
1.4 As part of our ongoing commitment to providing a quality service, our files are periodically reviewed by an independent regulatory or quality control body. These reviewers are highly experienced and professional people and, of course, are bound by the same rules for confidentiality as us.
Processing of customer personal data
1.5 Data protection legislation and regulation places obligations on you as a data controller where we act as a data processor to undertake the processing of personal data on your behalf, for instance where we operate a payroll service for you. We therefore confirm that we will at all times take appropriate measures to comply with relevant requirements when processing data on your behalf. In particular we confirm that we have adequate security measures in place and that we will comply with any obligations equivalent to those placed on you as a data controller. Terms relating to our responsibilities as a data processor are set out in paragraphs 10.6 to 10.9 below.
1.6 In respect of the client personal data, unless otherwise required by applicable laws or other regulatory requirements, we shall:
1.6.1 Process the client personal data only in accordance with your lawful written instructions, in order to provide you with the services pursuant to our engagement with you and in accordance with applicable data protection legislation;
1.6.2 Disclose and transfer the client personal data to [members of our firm’s network,] our regulatory bodies or other third parties (for example, our professional advisors or service providers) as and to the extent necessary in order to provide you with the services pursuant to our engagement with you in relation to those services;
1.6.3 Disclose the client personal data to courts, government agencies and other third parties as and to the extent required by law;
1.6.4 Maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of any client personal data and against accidental loss or destruction of, or damage to, such client personal data.
1.6.5 Maintain written records of our processing activities performed on your behalf which shall include:
the categories of processing activities performed;
details of any cross-border data transfers outside of the United Kingdom; and
a general description of security measures implemented in respect of the client personal data;
1.6.6 Return or delete all the client personal data upon the termination of the engagement with you pursuant to which we agreed to provide the services;
1.6.7 Ensure that only those personnel who need to have access to the client personal data are granted access to it and that all of the personnel authorised to process the client personal data are bound by a duty of confidentiality;
1.6.8 Notify you if we appoint a sub-processor (but only if you have given us your prior written consent, such consent not to be reasonably withheld or delayed) and ensure any agreement entered into with the relevant sub-processor includes similar terms as the terms set out in this section;
1.6.9 Where we transfer the client personal data to a country or territory outside the United Kingdom to do so in accordance with data protection legislation;
1.6.10 Notify you promptly if:
We receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of the client personal data; or
We are served with an information or assessment notice, or receive any other material communication in respect of our processing of the client personal data from a supervisory body (for example, the Information Commissioner’s Office);
1.6.11 Notify you, without undue delay, in the event that we reasonably believe that there has been a personal data breach in respect of the client personal data; and
1.6.12 At your cost and upon receipt of your prior written notice, allow you, on an annual basis and/or in the event that we notify you of personal data breach in respect of the client personal data, reasonable access to the relevant records, files, computer or other communication systems, for the purposes of reviewing our compliance with the data protection laws.
1.7 Without prejudice to the generality of clause 10.1, you will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the client personal data to us.
1.8 Should you require any further details regarding our treatment of personal data, please contact our data controller.
1.9 The following details are also required by Article 28(3) of the GDPR:
1.9 1 Subject matter and duration of the processing of client personal data
The subject matter and duration of the processing of the client personal data are set out in the engagement letter between us dated………………….. and relate to provision of payroll services.
1.9 2 The nature and purpose of the processing of client personal data
The processing of client personal data is in order to calculate payroll and deductions and arrange payments to HMRC and the employees.
1.9 3 The types of client personal data to be processed
Personal Data: