RfM Data Protection Policy
RfM is a network of independent accounting, tax and advisory firms which perform professional services under the name RfM. Each of the RfM firms is a separate Limited Company or Partnership and has no liability for any other such entities, acts or omissions.
In the course of our work with your Company, we are likely to collect, use, transfer or store personal information about you, your business, your employees, your customers and your suppliers, including names and addresses. The UK’s data protection legislation, including the General Data Protection Regulations (GDPR) contains principles and legal conditions which must be followed before and during any processing of personal information.
Our data protection policy will help you to understand what information we collect, how we use it and what choices you have.
By using www.rfm-more.co.uk and submitting any personal information to us, and signing the terms of our engagement letter, you agree to the use by us of your personal information in accordance with the terms of this Data Protection Policy.
What personal information do we collect?
When you visit the www.rfm-more.co.uk website – We do not require registration when you access the website, but if you participate in any of the activities or services offered by the website or complete a ‘contact us’ form, we will collect the personal data we need to be able to provide you with those services, such as your job title, name, email address and telephone number.
Personal information we hold will include names, addresses, telephone numbers, email addresses, national insurance details, tax references and income details.
We do not collect sensitive personal information from you across the RFM Group. Sensitive data includes data relating to race or ethnic origin, political opinions, religious or other beliefs, physical or mental health, sexual orientation or criminal record.
How do we use your personal data?
We are a data controller. This means that we are required by law to ensure that everyone who processes personal data during the course of their work with us does so in accordance with the data protection legislation including the GDPR principles. In summary, the principles say that:
- personal data must be processed in a lawful, fair and transparent way
- the purpose for which the personal information is collected must be specific, explicit and legitimate
- the collected personal data must be adequate and relevant to meet the identified purpose
- the information must be accurate and kept up to date
- the personal data should not be kept in a form which permits identification of a data subject for longer than necessary for the purposes for which it is used
- the personal data must be kept confidential and secure and only processed by authorised personnel.
We only use the data you provide to deal with your request and to provide the services you have asked for as described in our engagement letter.
We are legally obliged to hold some types of data to fulfil our statutory obligations and we will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant engagement letter you hold with us.
Will you provide my information to a third party?
We may contract with other companies or individuals, agents, subcontractors, regulatory bodies and other associated organisations for the purposes of completing tasks, to deal with your enquiry or to otherwise operate our business. If we use third party providers, we disclose only the personal data that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes and we ensure those third parties are also fully compliant with the GDPR regulations. We may also process personal data in the “cloud” but we ensure we carry out the same level of checks to ensure those companies have adequate GDPR compliance in place with the countries where their servers are located.
In order to perform our contract with you we may use external third parties based outside the EEA so the processing of your personal data may involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
- where there is not an adequacy decision by the European Commission in relation to a country we may use certain service providers under specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries
We may share your information with other RfM Group Companies. If we direct market you from other RfM Companies in our Group, you will have the right to reject direct marketing in each and every marketing activity you will receive and if you notify us of the requirement to unsubscribe from marketing material we will cease immediately from sending further communications to you.
Any staff with access to your information have a duty of confidentiality under the ethical standards that the RfM firms are required to follow. Our staff are continually trained and monitored on the rules and regulations under GDPR and the handling of personal data.
We will not release information to other third parties unless you have requested in writing that we do so.
You have the right to request:
- details of the personal information that is stored by RfM
- correction of your information – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you
- deletion of data – you have the right to ask us to delete any personal information we hold about you where you consider we no longer require the information for the purposes it was obtained
- that you withdraw consent to RfM holding your personal data where you have previously given consent. You can contact your local RfM office to notify us that you withdraw your consent.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect internally and online.
We are subject to specific rules under the GDPR in relation to marketing our services. This could be marketing from other RfM Group companies. You will have the right to reject direct marketing in each and every marketing activity you will receive and if you notify us of the requirement to unsubscribe from marketing material we will cease immediately from sending further communications to you.
Subject access requests
Under the GDPR, subject to certain legal limitations, individuals have available a number of legal rights regarding how their personal data is processed and what information we hold. You can submit in writing a subject access request to ask us what information we hold about you personally and also do the following:
- confirm what personal data we hold
- request corrections to be made to data we hold
- request erasure of data
- object to the processing of data
- request that processing restrictions be put in place
- request the right to be notified of a data security breach.
How will we respond to a subject access request?
We will reply within a reasonable time frame to any subject access requests in writing.
Action to be taken in the event of a data protection breach
A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on an individual.
In the event of a security incident or breach, RfM will ensure they:
- contain the breach;
- assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen; and
- limit the scope of the breach by taking steps to mitigate the effects of the breach.
The Data Protection Officer will determine within 72 hours the seriousness of the breach and if the Information Commissioner’s Office (ICO) and/or individuals need to be notified of the breach.
All employees and principles of RfM that handle the personal information of individuals have an understanding of the data protection legislation, including GDPR.
We will provide all employees and principals of RfM with continuous training and updates on how to process personal data in a secure and confidential manner and in accordance with the spirit of the data protection legislation, including GDPR. They are also kept informed and are aware of any changes made to privacy notices, consent procedures and any other policies and procedures associated with our internal processing of personal data.
Should you wish to enquire about our use of your personal data, please contact your usual contact at your local office. We will investigate all complaints received and will endeavour to respond to complaints promptly.