This privacy notice applies to both GrowBe Ltd and to GrowBe Accounts Ltd.
Purpose of this Privacy Notice
We are committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).
Where you are data controller, for example in running a business who has clients of its own, we are a “data processor”. This means that you are responsible for deciding how you hold and use personal information about your clients, suppliers, employees and other data subjects.
Specific examples are if we run payroll or HR systems for you, we will process details about your employees, or if we manage your accounts, we will process details about your customers and suppliers.
For your personal data, we are a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to current and former clients and we may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are aware of how and why we are using such information.
Data Protection Principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as necessary for the purposes we have told you about
- Kept securely
The information we hold about you
Personal data can be any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection, but at present, we do not collect, store or process any of this data.
We may collect, store and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and email addresses
- Date of birth
- Marital status and any dependants
- Next of kin and emergency contact information
- Government data such as National Insurance number and Unique Taxpayer Reference (UTR)
- Financial details
- Educational details
- Employment details
- Business activities
- Goods and services provided
- Family, lifestyle and social circumstances
How we collect your personal information
We collect personal information at various stages of a business relationship.
Before signing a contract, we will research on-line, in particular at Companies House and via an internet search engine, for publically available data. If we believe this to be in your legitimate interest or have your consent, we will store some personal details in our Customer Relationship Management (CRM) system.
We may also collect data either directly from you the individual or via a previous service provider.
Generally, full information would be collected soon after signing a contract to provide services, then at certain intervals such as after a tax year-end or after a specific event that would change the personal data.
We would contact a previous service provider soon after signing a new contract to provide services and rarely later in the business relationship. Personal data would thereafter be collected directly and would be specifically required to fulfil our obligations under the contract.
How we will use Information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you
- Where we need to comply with a legal obligation
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
We may use automated decision-making in relation to marketing to you, subject to legal basis.
The situations in which we will use your personal information
We need all the categories of information in the list above (see ‘The information we hold about you’) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations.
The situations in which we will process your personal information are:
- To enable services detailed in the contract with you to be delivered
- Administering the contract we have entered into with you
- Contacting and liaising with your previous service provider
- Business management and planning, including accounting and auditing
- Liaising with selected third parties on your behalf – e.g. HMRC
- Making arrangements for the termination of our working relationship
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as the preparation and submission of a self-assessment tax return to HMRC), or we may be prevented from complying with our legal obligations.
Due to the nature of our services, failure to provide us with personal information when requested could result in financial penalties, such as a fine from HMRC for which you would be personally liable.
Change of Purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection.
The following are examples of special category data:
- Race, ethnic origin and religion
- Politics and trade union membership
- Health, genetics and biometrics (where used for ID purposes)
- Sex life and sexual orientation.
We currently do not collect or store this type of data as it is not required for the type of services currently provided. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent
- Where we need to carry out our legal obligations and in line with our Data Protection Policy.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.
Do we need your consent?
Consent is not required when we need to process a person’s personal data to comply with contractual obligations. As processing is necessary for a contract with an individual, for example, to submit a personal tax return, then processing is lawful on this basis and we do not need to get separate written consent. Please also refer to the following section on the lawful basis.
The Lawful Basis for Processing Data
There are six lawful bases under GDPR:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Sharing Your Data with Third Parties
We may have to share your data with third parties, including third-party service providers.
Generally, we will only share your data with a third party where it fulfils our contractual obligations with you. We may also share your personal data with a supervisor (such as ACCA), regulator, the government (in particular Companies House and HMRC), where required by law or where we have a legitimate interest in doing so.
We require third parties to respect the security of your data and to treat it in accordance with the law. All third parties that we deal with are required to take appropriate steps to protect your personal data. Third parties are only permitted to process data for the specified purpose and are not allowed to use data provided to them for any other purpose.
We use third parties to process personal data for the following activities:
- Pensions administration
- Tax and other Advice
- Health & Safety
- Business Coaching
- Business Advice
Transfers of personal data outside the EU
We do transfer data outside the EU. In all cases personal data is protected under the EC adequacy, EC approved clauses or US privacy shield.
Security of Personal Data
We take the security of all data seriously and we have put in place specific security measures to ensure personal information is kept secure. All information systems in use have appropriate security measures in place and access is limited to only those that require it. We use encryption and the use of secure data transfer systems to transmit any data outside of our companies. Third-party systems are all required to be GDPR compliant, which includes the requirement to ensure all data is secure. We have reviewed all third party systems and all current third-party relationships and the associated systems are GDPR compliant. Any future system changes or new systems would be fully reviewed prior to use to ensure the security of data and GDPR compliance.
Appropriate security measures are in place to ensure your personal data is not accessed in an unauthorised manner, lost, stolen or accidentally disclosed to an unauthorised third party.
In the event of a suspected data security breach, there are processes in place to notify you and the Information Commissioner’s Office of the event.
Retention of Data
Our data retention policy is driven by accounting and legal requirements which stipulate statutory periods for retaining data. We will only retain your personal data for as long as necessary to comply with statutory retention periods, but this is generally up to seven years in most cases.
Your Rights with regard to the Personal Data we hold
As laid out within the GDPR, individuals have various rights as follows:
The Right to be Informed
Individuals have the right to be informed whenever we collect or process their data. We are obligated to provide fair and transparent processing information and this is provided through Privacy Notices included within the Letter of Engagement and also available on our website. Any substantial changes would result in a revised Privacy Notice and this would be communicated to you as and when updates occur.
The Right of Access
Individuals have the right to access their personal data and any supplementary information.
Individuals have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Any supplementary information
The right of access also allows individuals to be aware of and verify the lawfulness basis for processing their data.
To help us provide the information you want and deal with your request more quickly, please address your concern to “The Data Protection Lead”. You should include enough details to enable us to verify your identity and locate the relevant information. We will put this into a Subject Access Request form (SAR). For example, you should tell us:
- your date of birth
- previous or other name(s) you have used
- your previous addresses in the past five years
- personal reference number(s) that we may have given you, for example, your national insurance number, your tax reference number or your VAT registration number
- what type of information you want to know
If you do not have a national insurance number, you must send a copy of:
- the back page/photo page of your passport or a copy of your driving licence
- a recent utility bill.
DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).
We will not charge you for dealing with a SAR.
You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.
Where you are a data controller and we act for you as a data processor (e.g. by processing payroll), we will assist you with SARs on the same basis as is set out above.
The Right to Rectification
Individuals have the right to have personal data corrected if it is inaccurate or incomplete.
If you believe the personal data we hold is inaccurate or incomplete, please inform us and we will work with you to correct this. Once the data has been corrected, we will send you a formal confirmation of this within one month of your original notification to us.
The Right to Erasure (also known as The Right to be Forgotten)
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If you believe this to be the case, please inform us and within 30 days we will send you a formal response.
The Right to Restrict Processing
Individuals have the right to ‘block’ or suppress the processing of personal data. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it. When you inform us of an issue where we would restrict processing, we will send you a formal response once the issue has been rectified and once the restriction has been lifted.
The Right of Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact John Bickell – Data Protection Lead.
Your obligations if you are a data controller
The data controller must exercise overall control over the purpose for which, and the manner in which, personal data are processed.
It is your responsibility to provide specified information about the processing to relevant data subjects so that the data processor does not need to do so.
Our obligations (as a data processor) to you (as a data controller)
We will process personal data only on documented instructions from you, including with regard to transfers of personal data to a third country or an international organisation unless required to do so by EU law or the law of a Member State; in such a case, we shall inform you of that legal requirement before processing, unless the law in question prohibits such information on important grounds of public interest.
We will obtain a commitment of confidentiality from anyone we authorise to process the personal data unless they are already under a statutory obligation of confidentiality.
We will take all measures required pursuant to Article 32 of the GDPR.
We will not engage another processor without your prior written consent. If you provide such consent, we will only engage another processor in compliance with the requirements of Article 28(2) and 28(4) of the GDPR.
Insofar as is possible, we will assist you in fulfilling your obligations to data subjects under Chapter III of the GDPR.
We will assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR.
At the end of the contract, we will delete all the personal data we have been processing for you or if you prefer, we will return to you at your cost all the personal data we have been processing for you, save insofar as we are required by law to retain any of the personal data.
We will make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
We will allow you (and/or an auditor appointed by you) to carry out audits and inspections in respect of compliance with the obligations laid down in Article 28 of the GDPR and will contribute to such audits and inspections.
We will inform you immediately if we consider we have been given an instruction which infringes the GDPR and/or other EU and/or Member State data protection provisions.
Data Protection Lead (DPL)
We have appointed a DPL to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPL. John Bickell is the DPL for us and is the person who you should direct all data queries to in the first instance, including issues related to any of your rights detailed in section 15 above.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues:
- By live chat
- By phone: 0303 123 1113
- In writing: Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Addresses for Wales, Scotland or Northern Ireland are here.
- Or via the ‘Report a Concern’ section of their website – www.ico.org.uk
GrowBe Ltd is registered with the ICO as a controller and processor of personal information with ICO Registration Number: ZA651397
GrowBe Accounts Ltd has an application in progress.
Updates to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a revised privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information or to collect and/or confirm your personal data.