Contact Details

Data Protection Officer: Helen Christopher

• ???? Email: helen@bean-sprout.co.uk

• ???? Address: Capability House, B31 Wrest Park, Silsoe, Bedfordshire, MK45 4HR

• ☎ Phone: 01525 306920

Helen Christopher can be contacted regarding your personal data, including subject access requests.

---

1. Introduction

We are a data controller under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). We are committed to meeting our legal obligations and will only process personal data as necessary to:

• Deliver the agreed professional services

• Fulfil legal obligations

• Address any purposes specifically agreed with you

---

2. Information Collected

We collect and process personal data to:

• Fulfil contractual obligations

• Meet legal and professional requirements

Types of personal data we collect include:

• Name and address

• Email address

• Telephone number

• HMRC-held information

• Data for tax returns

• Data for accounts preparation

• All relevant correspondence

If you do not provide the required information, we may be unable to offer services and will trigger disengagement as outlined in our terms and conditions.

---

3. How Information is Collected

We collect data from the following sources:

• You

• Your spouse/partner

• HMRC

• Your organisation

• Electronic ID verification providers

• Authorised third parties (e.g. banks, investment brokers)

---

4. How Your Information is Used

We may use your data to:

1. Deliver contractual services

2. Contact you about other services (with consent)

3. Fulfil legal and regulatory obligations

4. Pursue legitimate business interests

We retain records in line with our retention policy and use them to defend against legal or disciplinary action within statutory limits.

There is no automated decision-making or automatic data portability.

Subcontractors are required to comply with GDPR.

---

5. Lawful Basis for Processing

We process personal data on the following legal bases:

• Contract: For agreed services under engagement

• Consent: For broader expectations or marketing (if given)

• Legal obligation/Public interest: To comply with regulations

• Legitimate interests: For operational purposes

---

6. International Data Transfers

We do not transfer personal data outside the UK.

---

7. Sharing Information with Others

We may share your data with:

• HMRC

• Finance or pension providers

• Investment brokers

• Subcontractors (bound by our standards)

• A designated alternate (in the event of incapacity/death)

• Tax insurance providers

• Professional indemnity insurers

• Our professional body or quality assurance reviewers

You cannot opt out of these disclosures where they are necessary for our services. If you object, we may cease to act for you.

We may also disclose information to:

• Law enforcement or courts

• ICO (Information Commissioner’s Office)

• Professional insurers or advisers (e.g. in defending claims)

• Disciplinary bodies (in the event of a complaint)

• Your new advisers (at your request)

---

8. Data Security

We maintain robust security measures to protect personal data from:

• Loss

• Misuse

• Alteration

• Unauthorised access

Access is limited to those who need it and process it under our instruction. All policies are reviewed regularly.

---

9. Retention of Information

We retain records as follows:

1. Tax returns/accounts: 7 years from end of tax year

2. Ad hoc advisory work: 7 years from end of relationship

3. Ongoing relationships: Permanent data (e.g. capital gains records) retained during the relationship, then deleted 7 years after it ends

4. Money Laundering Regulations: Data retained under Regulation 40(5) MLR 2017 for up to 7 years by agreement

---

10. Subject Access Requests (SARs)

You can request access to the personal data we hold about you. Requests must be:

• In writing to the contact above

• Accompanied by proof of ID and address, if requested

Authorising a third party: You must provide signed authority for someone else to request data on your behalf.

We may refuse requests if:

• They duplicate previous requests with no material changes

• Disclosure would:

  • Prejudice law enforcement or tax collection

  • Reveal another person’s identity or confidential data

Refusals will be communicated with reasons in writing.

---

11. Right to Rectification

If any of your personal information is incorrect, please notify us so we can correct it.

---

12. Right to Erasure

You may request deletion of your records. This will be considered case-by-case. We may refuse under specific lawful grounds and will provide reasons where applicable.

More information: www.ico.org.uk

---

13. Right to Restrict Processing / Right to Object

You may ask us to block or restrict processing of your personal data, or object to how it is used. Please notify us if this applies to you.

---

14. Withdrawal of Consent

You may withdraw consent to marketing communications at any time. We will stop contacting you for marketing purposes, but will continue processing your data under other legal bases (e.g., contractual, legal obligations).

---

15. Right to Data Portability

This right applies where:

• You provided the data directly

• Processing is based on consent or contract

• Processing is automated

We will respond within one month of your request. This may be extended by up to two further months where necessary.

---

16. Complaints

If you are dissatisfied with how we process your data, please contact us directly. If unresolved, you can contact:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
???? Visit: www.ico.org.uk

You may also contact our professional body, as stated in the terms and conditions.

---

17. Privacy Notice Confirmation

By signing or continuing engagement, you acknowledge and accept:

• The processing of your personal data as outlined

• Access rights by our alternate in case of incapacity

• Communication and data transmission via:

  • Post / hard copy

  • Password-protected emails

  • Encrypted emails

  • Unencrypted emails (no attachments)

  • Secure portals

  • Cloud-based software

You accept the associated risks of digital communication.