Arrogroup

Data Privacy Notice

ArroGroup

254 Suffolk Road

Belfast

BT11 9PP

info@arrogroup.co.uk

 

This notice is provided to fulfil our obligations under the General Data Protection Regulation (“GDPR”) which is effective from 25 May 2018.  GDPR requires organisations to be more transparent and accountable in how the personal data they hold is handled and processed.

 

ArroGroup is generally a data controller for the personal data processed, however, we may provide some services, such as payroll services, as a processor (in which case our client is the controller).  

 

 

  • Personal clients

 

 

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data where it is strictly needed for those purposes.

Where we need to process personal data to provide our services, we ask our clients to provide the necessary information to other data subjects concerned, such as family members, regarding its use.

Categories of personal data held

  • Contact information;
  • Family information;
  • Income level;
  • Details of financial affairs; and
  • May obtain some health information (if relevant to engagement).

Purpose of processing your personal data

  1. Provision of our services to you as agreed for the engagement

Legal basis – Performance of a contract, legitimate interests, legal obligation

  1. Administering, managing and developing our businesses and services.  We may process personal data in order to run our business, including:
    1. managing our relationship with clients and prospective clients;
    2. developing our businesses and services
    3. managing and using IT systems;
    4. administering and managing our website and systems and applications.

Legal grounds: Legitimate interests

  1. Customer due diligence (anti-money laundering legislation)

Legal basis – Legal obligation

  1. Compliance with a common law, statutory regulation or professional obligation

 

Legal basis – Legal obligation or legitimate interests

 

  1. If you have given consent, marketing our services to you in the future

 

Legal basis – Legitimate interests

 

 

  • Corporate clients and individuals connected with our corporate clients

 

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data where it is strictly needed for those purposes.

If you are an employee, contractor, customer, or supplier, we might receive and process your personal data as part of our engagement with that client.  We will only process your data in order to provide our services to our client.

Categories of personal data held

  • Personal details;
  • Contact details;
  • Financial details; and  
  • Job details.

 

Purpose of processing your personal data

  1. Provision of our services to you as agreed for the engagement

Legal basis – Performance of a contract, legitimate interests, legal obligation

  1. Administering, managing and developing our businesses and services.  We may process personal data in order to run our business, including:
  1. managing our relationship with clients and prospective clients;
  2. developing our businesses and services
  3. managing and using IT systems;
  4. administering and managing our website and systems and applications

Legal basis: Legitimate interests

  1. Customer due diligence (anti-money laundering legislation)

Legal basis – Legal obligation

  1. Compliance with a common law, statutory regulation or professional obligation

 

Legal basis – Legal obligation or legitimate interests

 

  1. If you have given consent, marketing our services to you in the future

 

Legal basis – Legitimate interests

 

 

  • Website Users

 

We use the personal data (name and email address) you have provided us to respond to your queries when you contact us.

Our legal basis for this processing is our legitimate interest in the administration and operation of our business.

If you become a client, your personal data will become part of your file with us.

 

  • Suppliers

 

Categories of personal data held

  • Contact information;
  • Bank details for payment purposes;
  • Proof of identity; and
  • Professional qualifications.

Purpose of processing your personal data

 

  • Provision of agreed services

 

Legal basis – Performance of a contract, legitimate interests, legal obligation

  1. Administering, managing and developing our businesses and services.

 

Legal basis: Legitimate interests

 

  1. Due diligence (anti-money laundering legislation)

Legal basis – Legal obligation

  1. Compliance with a common law, statutory regulation or professional obligation

 

Legal basis – Legal obligation or legitimate interests

 

 

  • Employees and recruitment candidates

 

The firm considers that it has a legal obligation to hold personal data of employees and that the processing of employees personal data is necessary to fulfill the firms obligations under the employment contract of each employee.

Categories of personal data held

  • Contact information
  • Personal details
  • Education and employment history
  • Bank account details
  • Information from referees

Special Category Data

We acknowledge that personal data which reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data and data concerning individuals’ sex life or orientation are considered “Special Category Data” under the GDPR, and that processing such data is prohibited unless an exception applies.  The firm does not intend to process Special Category Data on behalf of clients, and in any case will not do so unless an exception applies, as provided in the GDPR.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).   

In the absence of specific legal, regulatory or contractual requirements, our retention period for records and other documentary evidence created in the provision of services is 6 years.

Security of your personal information

We have policies and procedures in place to ensure that your personal information is secure, accurate, up-to-date and kept only for so long as is necessary for the purpose for which it is needed.

Sharing of personal data

We share your personal data with our IT service providers.  These providers are not permitted to use this data, except on our behalf.  We may share your personal data with advisers who are subject to rules of confidentiality.  We may also be obliged to provide access to your personal data to regulators.

If we received your personal data from one of our clients, then we also share your personal data with that client.

We may also share personal data with third party organisations who assist us in providing services to clients or are otherwise involved in the services we provide to clients e.g. HMRC.

We will not share your personal data with any other third parties unless we have a legal or professional obligation to do so.

Automated decision-making and profiling

We do not use any personal data for the purpose of automated decision-making or profiling.

Your rights

You have the following rights under the GDPR, in certain circumstances and subject to certain exclusions, in relation to your personal data:

• Right to access – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.

Right to rectification– you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.

Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.

Right to restrict or object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.

• Right to data portability – you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.

  • Right to withdraw consent – if we are processing personal data based on your consent, you may withdraw that consent at any time.

In order to exercise any of the rights set out above, or if you have questions or concerns about how we process your data, please contact us at info@arrogroup.co.uk or by post at:

ArroGroup,

254 Suffolk Road,

Belfast,

BT11 9PP

 

You also have the right to lodge a complaint with the Information Commissioner’s Office, whose contact details are as follows:

Information Commissioner’s Office,

Wycliffe House, Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Telephone  0303 123 1113 (local rate) or 01625 545 745

Website  https://ico.org.uk/concerns

 

Data Privacy Notice last updated 25 May 2018