Section 1Purpose of this notice
This notice explains how Oakmoore Accountants collects, holds, uses and shares your personal data, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully. By engaging our services or using our website, you acknowledge the practices described here.
Section 2About us
Oakmoore Accountants is an ICAEW-regulated chartered accountancy practice providing accountancy, tax and advisory services. For the purposes of data protection law, we are the data controller, meaning we determine how and why your personal data is processed.
Data Protection contact:
Email: info@oakmooreaccountants.co.uk
Website: www.oakmooreaccountants.co.uk
Address: Available on request
As a small practice, we do not have a statutory obligation to appoint a Data Protection Officer (DPO). Any data protection queries should be directed to the contact details above.
Section 3Personal data we collect
We collect and process the following categories of personal data:
- Identity data: name, date of birth, National Insurance number, passport or driving licence details.
- Contact data: address, email address, telephone number.
- Financial data: income, tax records, bank account details (for Direct Debit), invoices.
- Tax and accounting data: PAYE records, self-assessment information, VAT returns, company accounts.
- Business data: company registration number, directors' details, filed accounts.
- Identity verification data: collected as part of our Anti-Money Laundering (AML) obligations.
- Communications data: emails, letters and notes from calls or meetings with us.
- Website data: IP address, browser type and cookies (see Section 11).
Section 4How we collect your personal data
- Directly from you during initial enquiries, onboarding and throughout our engagement.
- From HMRC, Companies House and other government or regulatory bodies.
- From your previous accountant, following professional clearance.
- From third-party identity verification services used for AML purposes.
- From publicly available sources such as the Companies House register.
- Via our website when you contact us or request information.
Section 5Lawful basis for processing
We rely on the following lawful bases under UK GDPR:
| Lawful basis | When we use it |
|---|---|
| Performance of a contract | Providing the accountancy and tax services agreed in your engagement letter. |
| Legal obligation | Filing tax returns and accounts with HMRC and Companies House; AML compliance under the Money Laundering Regulations 2017. |
| Legitimate interests | Managing client relationships, improving our services, fraud prevention, maintaining professional records. |
| Consent | Marketing communications (email newsletters or service updates). You may withdraw consent at any time. |
Section 6How we use your personal data
- Preparing and filing your tax returns, accounts and statutory documents.
- Communicating with HMRC, Companies House and other regulators on your behalf.
- Conducting client due diligence and identity verification as required under AML regulations.
- Processing Direct Debit payments for your monthly fee.
- Sending invoices and managing outstanding payments.
- Responding to your queries and providing ongoing advisory services.
- Maintaining records as required by law and our professional obligations.
- Improving and developing our services (using anonymised data where possible).
Section 7Who we share your data with
We do not sell your personal data. We share it only in the following circumstances:
| Recipient | Purpose |
|---|---|
| HMRC | Submission of tax returns, VAT returns, payroll and other statutory filings. |
| Companies House | Filing of annual accounts and confirmation statements. |
| Xero (accounting software) | Bookkeeping, VAT and management accounts. Xero is ISO 27001 certified. |
| Dext | Document capture and receipt management. |
| GoCardless | Direct Debit collection of monthly fees. |
| Microsoft (OneDrive) | Secure document sharing with clients. |
| ICAEW | Regulatory oversight and practice assurance monitoring. |
| Previous accountants | Professional clearance and handover of records (with your consent). |
| National Crime Agency (NCA) | Where legally required under the Proceeds of Crime Act 2002. |
All third-party service providers are required to maintain appropriate security standards and may only process your data in accordance with our instructions.
Section 8International data transfers
We do not intentionally transfer your personal data outside the United Kingdom. Our primary software providers (Xero, Microsoft) may process data within the UK or the European Economic Area (EEA), which benefits from UK adequacy decisions. Where any transfer outside the UK or EEA is necessary, we will ensure appropriate safeguards are in place in accordance with UK GDPR.
Section 9Data retention
We retain your personal data only for as long as necessary for the purposes set out in this notice, and in accordance with our legal and regulatory obligations. Our standard retention periods are:
- Client accounting records: minimum 6 years from the end of the relevant accounting period (Companies Act / HMRC requirements).
- Self Assessment records: 5 years after the 31 January filing deadline for the relevant tax year.
- AML / KYC identity documents: 5 years after the end of the client relationship.
- PAYE and payroll records: minimum 3 years from the end of the tax year.
- Email and general correspondence: 6 years from the date of the last engagement.
- Prospective client enquiries (not converted): 12 months from initial contact.
When retention periods expire, data is securely deleted or anonymised.
Section 10Data security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:
- Password-protected and encrypted storage for all electronic client files.
- Multi-factor authentication on all cloud platforms used in our practice.
- Access controls limiting data to those with a legitimate need.
- Secure document sharing via OneDrive rather than unencrypted email.
- Antivirus and firewall protection on all practice devices.
- Staff awareness of data handling obligations.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay, as required by UK GDPR.
Section 11Website & cookies
Our website (www.oakmooreaccountants.co.uk) may use cookies to improve user experience. We use only essential cookies required for the website to function, plus optional analytics cookies (such as Google Analytics) where you have given your consent via our cookie banner. You can manage or withdraw cookie consent at any time through your browser settings. Our website does not collect sensitive personal data.
Section 12Your rights under UK GDPR
You have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you (Subject Access Request). |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Ask us to delete your data (subject to our legal retention obligations). |
| Restriction | Ask us to limit how we use your data in certain circumstances. |
| Portability | Receive your data in a structured, machine-readable format where processing is based on consent or contract. |
| Object | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent | Withdraw consent for marketing or other consent-based processing at any time. |
To exercise any of your rights, please contact us at info@oakmooreaccountants.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request. There is no charge for exercising your rights unless a request is manifestly unfounded or excessive.
Section 13Right to complain
If you are unhappy with how we have handled your personal data, please contact us in the first instance at info@oakmooreaccountants.co.uk. We will investigate and respond promptly.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Section 14Changes to this notice
We may update this Privacy Notice from time to time to reflect changes in our services, technology or legal requirements. The current version will always be available on our website and will be provided to you at the point of engagement. Material changes will be communicated to existing clients by email. The date at the top of this notice indicates when it was last reviewed.