This document sets out X-VAT’s policy on the protection of information relating to X-VAT’s clients and information on X-VAT’s client’s clients (from here referred to as Client Data). Protecting the confidentiality and integrity of Client Data is a critical responsibility that X-VAT takes seriously at all times. X-VAT will ensure that data is always processed in accordance with the provisions of relevant data protection legislation. This policy will be posted on X-VAT’s website and updated as appropriate.
Personal data is any information identifying a data subject (a living person to whom the data relates). It includes information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers X-VAT possesses or can reasonably access. Personal data can be factual (for example, a name, email address, location or opt-in approval) or an opinion (for example on the opinion related to an individual’s decision).
Sensitive Personal Data
Sensitive personal data is a special category of information which relates to a data subject’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric, personal image or genetic data. It also includes personal data relating to criminal offences and convictions.
Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
X-VAT holds information related to the Client in order to effectively and appropriately provide business service to the Client. This information may in part or in whole relate to: Client contact information; VAT related activities and details; HMRC communication with the Client; previous VAT related matters between HMRC and the Client; and relationship history between the Client and X-VAT.
If the purpose for processing any piece of data about Clients should change, X-VAT will update privacy notices with the new purpose and the lawful basis for processing the data and will notify Clients of changes.
FAIR PROCESSING OF DATA
Fair Processing Principles
In processing Client data, the following principles will be adhered to. Personal data will be:
- used lawfully, fairly and in a transparent way;
- collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes;
- relevant to specific purposes and limited only to those purposes;
- accurate and kept up to date;
- kept only as long as necessary for the specified purposes; and
- kept securely.
Lawful Processing of Personal Data
Personal information will only be processed when there is a basis for doing so. Most commonly, the Company will use personal information only in the following circumstances:
- when it is needed to perform Clients’ relationship with X-VAT;
- when it is needed to comply with a legal obligation; or
- when it is necessary for the X-VAT’s legitimate interests (or those of a third party) and Clients’ interests and fundamental rights do not override those interests.
X-VAT may also use personal information in the following situations, which are likely to be very rare:
- when it is necessary to protect Clients’ interests; or
- when it is necessary in the public interest (or for official purposes).
Lawful Processing of Sensitive Personal Data
X-VAT does not generally collect or process sensitive personal data. The only sensitive personal data X-VAT envisions collecting and processing is:
- personal image with prior consent as use on X-VAT’s website to express personal experiences of X-VAT services;
- personal image with prior consent for other marketing purposes.
Consent to Data Processing
By “opting-in” to agreeing to receive specific VAT related emails X-VAT does not require further consent to contact Clients on matters specifically related to VAT updates or the services and products offered by X-VAT. By entering into a contractual relationship, X-VAT does not require further consent to contact Clients and process data in relation to the execution of the data.
Where Clients have provided consent to the collection, processing and transfer of personal information for the purpose of carrying out the relationship between X-VAT and the Client only, Clients have the right to withdraw consent for that specific processing at any time. Once the Company has received notification of withdrawal of consent it will no longer process information for the purpose or purposes originally agreed to, unless it has another legitimate basis for doing so in law.
Automated Decision Making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
X-VAT may use automated decision-making in the following circumstances:
- where Clients are coming up to the renewal of their subscription service or software licence;
- where an X-VAT service or product may be identified as of special interest to a Client.
COLLECTION AND RETENTION OF DATA
Collection of Data
X-VAT will collect personal information about Clients through the Client’s personal provision of such data on their own or the client’s client data.
From time to time, X-VAT may collect additional personal information in the course of fulfilling the contractual agreement between X-VAT and the Client.
Retention of Data
X-VAT will only retain Clients’ personal information for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
When determining the appropriate retention period for personal data, X-VAT will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether X-VAT can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances X-VAT may anonymise personal information so that it can no longer be associated with Clients, in which case X-VAT may use such information without further notice to Clients. After the data retention period has expired, X-VAT will securely destroy Clients’ personal information.
DATA SECURITY AND SHARING
The Company has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request. Access to personal information is limited to those staff members, agents, contractors and other third parties who have a business need to know. They will only process personal information on X-VAT’s instructions and are subject to a duty of confidentiality. The Company expects staff members handling personal data to take steps to safeguard personal data of staff members (or any other individual) in line with this policy.
X-VAT requires third parties to respect the security of Clients’ data and to treat it in accordance with the law. X-VAT may share personal information with third parties, for example in the context of the possible sale or restructuring of the business. The Company may also need to share personal information with a regulator or to otherwise comply with the law.
X-VAT may also share Clients’ data with third-party service providers where it is necessary to administer the working relationship with Clients or where X-VAT has a legitimate interest in doing so. The following are examples of activities which are carried out by third-party service providers: Accounting, Customer Relation Management (CRM) System, IT and Payment Services.
X-VAT will never sell-on Clients’ data to any third party.
RIGHTS & OBLIGATIONS
Accuracy of Data
X-VAT will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. Clients are encouraged to inform X-VAT of any changes to their personal data. Where a Client has concerns regarding the accuracy of personal data held by X-VAT, the Client should contact the Data Director at firstname.lastname@example.org to request an amendment to the data.
Under certain circumstances, Clients have the right to:
- request access to personal information (commonly known as a “data subject access request”);
- request erasure of personal information;
- object to processing of personal information where X-VAT is relying on a legitimate interest (or those of a third party) to lawfully process it;
- request the restriction of processing of personal information;
- request the transfer of personal information to another party.
If a Client wishes to make a request on any of the above grounds, they should contact the Data Director via email at email@example.com. Please note that, depending on the nature of the request, X-VAT may have grounds for refusing to comply. If that is the case, the Client will be given an explanation by X-VAT.
Data Subject Access Requests
Clients will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, X-VAT may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, X-VAT may refuse to comply with the request in such circumstances.
X-VAT may need to request specific information from the Client to help confirm their identity and ensure the right to access the information (or to exercise any of the other rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
COMPLIANCE WITH THIS POLICY
X-VAT Compliance Responsibilities
A Data Director has been appointed with overseeing compliance with this policy. If Clients have any questions about this policy or how X-VAT handles personal information, they should contact the Data Director at firstname.lastname@example.org. Clients have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Data Security Breaches
X-VAT has put in place procedures to deal with any data security breach and will notify the client whom X-VAT has a relationship with and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.
In certain circumstances, X-VAT will be required to notify regulators of a data security breach within 72 hours of the breach. Therefore, if a Client becomes aware of a data security breach it is imperative that they report it to the Data Director at email@example.com immediately.
Privacy by Design
X-VAT will have regard to the principles of this policy and relevant legislation when designing or implementing new systems or processes (known as “privacy by design”).
Exchange Place 2
5 Semple Street
Edinburgh EH3 8BL
Tel: +44 131 306 0075
Exchange Place 2
5 Semple Street
Edinburgh EH3 8BL
Tel: +44 131 306 0075