Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

All data subjects whose personal data is collected, in line with the requirements of the GDPR.

All employees/staff of Grunberg & Co who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.

For the purpose of the Data Protection Legislation and this notice, Grunberg & Co are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.

We have appointed a Head of Privacy. Our Head of Privacy is our Data Protection Point of Contact and is responsible for assisting with enquiries in relation to this privacy notice or our treatment of your personal data. Should you wish to contact our Data Protection Point of Contact you can do so using the contact details in 3.6.

Grunberg & Co are a firm of Chartered Accountants, business and tax advisers.

The services we offer are as follows:

1. 1. Our Data Protection Point of contact and data protection representatives can be contacted directly here:
      • contact@grunberg.co.uk
      • 020 8458 0083

      The personal data we would like to collect and process on you is:

      Personal data type:	Source
      Full and former names, addresses, telephone numbers, email addresses, Unique Tax Reference number (UTR), national insurance number, bank account details. Details of your investments. Income and expenditure details. Your IP addresses. Family details.	We may collect your personal data from you, your employer, your appointed representative, a member of staff, face to face, or from a public source where we believe that you will be interested in what we do. Where we collect personal data from third party or public domain source we provide a means to opt-out or unsubscribe on every message we send you.

      The personal data we collect will be used for the following purposes:

      • Contact you by post, email or telephone.
      • Maintain our records in accordance with applicable legal and regulatory obligations.
      • We may process your personal data for purposes necessary for the performance of our contract with you, your employer or our clients and to comply with our legal obligations.
      • We may process your personal data for the purposes necessary for the performance of our contract with our clients. This may include processing your personal data where you are an employee, subcontractor, supplier or customer of our client.
      • Process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data. This includes processing for [marketing, business development, statistical and management purposes].
      • Process your personal data for certain additional purposes with your consent, and in these limited circumstances where your consent is required for the processing of your personal data then you have the right to withdraw your consent to processing for such specific purposes.
      • Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.

      Our legal basis for processing for the personal data:

      • Are to assist you as appointed agents to help you fulfil your legal responsibilities, regarding the maintenance of books and records, payroll, statutory records, audit and accounts filings and tax returns and for any other legal requirements.

In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.
If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.

1. Consent
   By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

   Consent is required for Grunberg & Co to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.

   You may withdraw consent at any time by contacting Grunberg & Co using the contact details in 3.1.

2. Disclosure
   Grunberg & Co will not pass on your personal data to third parties, except for when there is a need for us to We use our third-party service providers and agents for the purposes of completing tasks and providing services to you on our behalf, for example to enable bookkeeping and ensure you are kept up to date. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep the information secure and not to use it for their own purposes.
3. Retention Period
   We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. We are required by legislation, other regulatory requirements and our insurers to retain our data where we have ceased to act for you.

   When assessing what retention period is appropriate for your personal data, we take into consideration:

   • the requirements of our business and the services provided;
   • any statutory or legal obligations;
   • the purposes for which we originally collected the personal data;
   • the lawful grounds on which we based our processing;
   • the types of personal data we have collected;
   • the amount and categories of your personal data; and
   • whether the purpose of the processing could reasonably be fulfilled by other means.

   To ensure compliance with all such requirements it is the policy of the firm to retain data for a period of six years from the end of the period concerned. If for any legal reason your data is held past this time, you will be informed of the extension.

4. Yours Rights as a Data Subject
   It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us.

   Under certain circumstances, whilst we are in possession of or processing your personal data you, the data subject, have the following rights:

   • Right of access – you have the right to request a copy of the information that we hold about you. On receipt of such a request we will endeavour to respond to you as soon as possible, but at least within one calendar month. You must provide us with 2 forms of personal identity to ensure that we only disclose to you information which is relevant to you personally.
   • Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete.
   • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
   • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
   • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
   • Right to object – you have the right to object to certain types of processing such as direct marketing.
   • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
   • Right to judicial review: in the event that Grunberg & Co refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.5 below.
5. Change of purpose
   Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.

   Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

6. Complaints
   In the event that you wish to make a complaint about how your personal data is being processed by Grunberg & Co, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Grunberg & Co’s data protection representatives Head of Privacy.

   The details for each of these contacts are:

   	Supervisory authority contact details	Head of Privacy
   Contact Name:	Information Commissioners Office	Robert Bean
   Address line 1:	Wycliffe House	5 Technology Park
   Address line 2:	Water Lane	Colindeep Lane
   Address line 3:	Wilmslow	Colindale
   Address line 4:	Cheshire	London
   Address line 5:	SK9 5AF	NW9 6BX
   Email:		robertb@grunberg.co.uk
   Telephone:	0303 123 1113	020 8458 0083

Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, metal, economic, cultural or social identify of that natural person”.

How we use your information

This privacy notice tells you how we, Grunberg & Co, will collect and use your personal data for the performance of our services to you under 3.1.

Why does Grunberg & Co need to collect and store personal data?

In order for us to provide you with our services we need to collect personal data for correspondence purpose and/or detailed service provision. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

In terms of being contacted for marketing purposes Grunberg & Co would contact you for additional consent.

Will Grunberg & Co share my personal data with anyone else?

We will share your personal data with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so.

We may pass your personal data on to third party service providers contracted to Grunberg & Co in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with Grunberg & Co’s procedures. If we wish to pass your sensitive personal data on to a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.

How will Grunberg & Co use the personal data it collects about me?

Grunberg & Co will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR).

We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Grunberg & Co is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.

Under what circumstances will Grunberg & Co contact me?

Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

Can I find out the personal data that the organisation holds about me?

Grunberg & Co, at your request, can confirm what information we hold about you and how it is processed. If Grunberg & Co does hold personal data about you, you can request the following information:

• Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
• Contact details of the data protection officer, where applicable.
• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interest of Grunberg & Co or a third party, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients that the data is/will be disclosed to.
• If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time.
• How to lodge a complaint with the supervisory authority.
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it was not collected directly from you.
• Any details and information of automated decision making, such as profiling and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide in order to assess this?

Grunberg & Co accepts the following forms of ID when information on your personal data is requested:

Passport, driving license, birth certificate, utility bill (from the last three months).

How do we protect your data?

We follow appropriate security procedures in the collection, storage and use of your Information so as to prevent unauthorised access by third parties.

We process data at our offices at our Colindale and London addresses, with access restrictions in place and at the sites of our data processors within the UK. Our IT specialist retains our data at a different location equally protected behind the appropriate firewalls and other security devices.

We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We may, at times, transfer the personal data we collect about you outside of the EEA in order to perform our contract with you. There is an adequacy decision by the European Commission in relation to these countries therefore they will be deemed to provide an adequate level of protection for your personal information for the purpose of the Data Protection Legislation.
We have put in place measures to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the Data Protection Legislation.

However, unfortunately, the transmission of Information via the Internet is not completely secure. We cannot ensure the security of your Information transmitted by you to us via the internet. Any such transmission is at your own risk and you acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage or destruction of your Information, except to the extent we are required to accept such responsibility by the GDPR, The Privacy and Electronic Communications Regulations or the Data Protection Act. Once we have received your Information we will use security procedures and features to prevent unauthorised access to it.

Please remember that when you use a link to go from our website to another website or you request a service from a third party, our Policy no longer applies. Your browsing and interaction on any other website or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control, or endorse the Information collection or privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices. This Policy applies solely to Information collected by us through our website or services and does not apply to these third-party websites and third-party service providers.

CCTV

Please be advised that if you visit our premises CCTV is in operation for security purposes in the main entrance hall.

Contact details of the Head of Privacy at Grunberg & Co:

Our website utilises Google Fonts API to provide a unified and visually pleasing textual experience for our users. Google Fonts is a service offered by Google LLC (“Google”) that allows websites to utilise high-quality fonts.

By using Google Fonts, some information may be transferred to Google servers, which may be located in other countries. This section outlines how Google collects and uses data in relation to the Google Fonts Web API.

Data Collection by Google

When you visit a page on our website that uses Google Fonts, your web browser automatically sends a request to Google’s servers. This request may include the following information:

• IP Address
• Browser type and version
• Operating System
• Referrer URL
• The time of the request

This data is primarily used by Google to serve the font files to your browser and to improve the overall service quality.

Google may also use this data for the purposes of analytics and to enhance user experience. The data is processed in accordance with Google’s Privacy Policy, which you can review for further details: Google’s Privacy Policy.

If you are concerned about the data collection practices associated with Google Fonts, you may choose to disable the Google Fonts service through browser settings or use browser extensions designed to block such features. However, doing so may affect the appearance and functionality of our website.

Updates to this Section

We reserve the right to update or amend this section at any time to reflect changes in our practices or amendments to Google’s terms of service or privacy policy. We recommend reviewing this section periodically for the latest information on our use of Google Fonts.