The policy: This privacy policy notice is served by ITR Service Limited under the website; [www.ITRservice.co.uk]. The purpose of this policy is to explain to staff how we control, process, handle and protect personal information through the business and while you browse or use this website.

The policy applies to the ITR Service Limited Subsidiary, ITR Fiscal Services.

This policy was last updated on 7 January 2020.

Policy key definitions:

"I", "our", "us", or "we" refer to the business, ITR Service Limited.
"you", "the user" refer to the person(s) using this policy.
GDPR means General Data Protection Act.
DPO means the Data Protection Officer, currently Vered Welsh
PECR means Privacy & Electronic Communications Regulation.
ICO means Information Commissioner's Office.
AML means anti-money laundering
ICAEW means the Institute of Chartered Accountants in England and Wales
EEA means European Economic Area
Cookies mean small files stored on a user’s computer or device.

Key principles of GDPR:

Our privacy policy embodies the following key principles; (a) Lawfulness, fairness and transparency, (b) Purpose limitation, (c) Data minimisation, (d) Accuracy, (e) Storage limitation, (f) Integrity and confidence, (g) Accountability.

Contact in case of privacy questions or concerns

If you have any data privacy questions or concerns, please contact our data privacy officer Vered Welsh on vered.welsh@itrservice.co.uk

Collection of personal data

We obtain personal data in the following ways:

· Directly from individuals who provide us with their business cards or required personal data for our VAT refund and registration services

· Indirectly from businesses who are required to collect personal data about their customers for VAT compliance purposes

Categories of personal data collected

We may collect the following categories of personal data about individuals through direct interactions with us, or from information provided to us by customer, suppliers and other situations:

Personal data

· Contact details

· Professional details for potential employees of the business

· Personal details such as personal addresses and dates of birth for anti-money laundering checks

· Personal tax numbers, which are required for applications for VAT registrations in certain countries

Sensitive personal data

· Personal documents such as ID’s and proof of address required for anti-money laundering checks

· Adverse information which may arise from our software in the course of an anti-money laundering check

Processing of personal data

Under the GDPR (General Data Protection Regulation) we control and / or process any personal information about you electronically using the following lawful bases.

We are registered with the ICO under the Data Protection Register, our registration number is: Z1357702.

Lawful basis: Legal obligation
Where our purpose for processing is: compliance with anti-money laundering legislation
Which is necessary because: ITR are member of the ICAEW, who require identification of all of our clients to comply with AML legislation.
We process your information in the following ways: Compliance requires identification of the beneficial owners of all our clients. Where any individual owns 25% or more of a business, the owner’s identity will be verified using a Credit Safe AML check. In some instances, beneficial owners will be required to present additional proof of their identity.
Data retention period: In compliance with the law, we will retain AML information for 5 years after we cease doing business with you.

Sharing your information: This data would not be shared unless we are requested to by ICAEW, who are our regulatory body for AML, or another official organisation upon formal request. We do not share the data outside the EEA.

Lawful basis: Legal obligation
Where our purpose for processing is: Providing documentation to a tax authority in order to obtain a VAT registration

Which is necessary because: Some tax authorities require personal identity documents and addresses for directors and shareholders. Refusal to provide the identity documents will result in the VAT number not being issued.
We process your information in the following ways: Where required, a copy of your identity document will be provided to the tax authority.
Data retention period: We will continue to process your information under this basis until you withdraw consent or it is determined your consent no longer exists.
Sharing your information: We do share your personal information with third parties (the tax authority requesting the information). We do not share the data outside the EEA.

Lawful basis: VAT compliance – Legal obligation
Where our purpose for processing is: In order to comply with VAT compliance obligations, we may be required to collect the customer names and addresses for any sales, including those to consumers.

Which is necessary because: For VAT compliance in certain countries, the names and addresses are required to be collected om accordance with local VAT legislation.
We process your information in the following ways: The data on customer sales will be used to compile your VAT returns.
Data retention period: We will continue to process your information under this basis until you withdraw consent or it is determined your consent no longer exists.
Sharing your information: We do share your personal information with third parties (the tax authority requesting the information) and our agents who process the VAT returns. We do not share the data outside the EEA.

If, as determined by us, the lawful basis upon which we process your personal information changes, we will update our policy and any new lawful basis to be used if required. We shall stop processing personal information if the lawful basis used is no longer relevant.

Individual rights of persons where we hold personal data

Under the GDPR the persons rights are as follows:

· the right to be informed;

· the right of access;

· the right to rectification;

· the right to erasure;

· the right to restrict processing;

· the right to data portability;

· the right to object; and

· the right not to be subject to automated decision-making including profiling.

Individuals also have the right to complain to the ICO [www.ico.org.uk] if they feel there is a problem with the way we are handling their data.

We handle subject access requests in accordance with the GDPR.

Cookies and IP addresses

We may collect information about an individuals computer, including where available their IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.

For the same reason, we may obtain information about their general internet usage by using a cookie file which is stored on the hard drive of their computer. Cookies contain information that is transferred to their computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

· To estimate our audience size and usage pattern.

· To store information about your preferences, and so allow us to customise our site according to your individual interests.

· To speed up your searches.

· To recognise you when you return to our site.

Users may refuse to accept cookies by activating the setting on their browser which allows you to refuse the setting of cookies. However, if they select this setting they may be unable to access certain parts of our site. Unless they have adjusted their browser setting so that it will refuse cookies, our system will issue cookies when they access our site.

We collect non identifiable data about website users and use it across various Google products (Such as Google Analytics and Google Ads) to help optimise our Analytical and Advertising efforts.

We cannot identify any personal information with this and neither can Google. For more information please visits Googles help pages https://support.google.com/analytics/topic/2919631?hl=en&ref_topic=1008008

Data security and protection

We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR compliance policy.

When to contact the DPO

2.7. Please contact the DPO with any questions about the operation of this Privacy Policy or the GDPR, or if you have any concerns that this Privacy Standard is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:

· if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company)

· if you need to rely on Consent and/or need to capture Explicit Consent

· if you need to draft Privacy Notices or Fair Processing Notices

· if you are unsure about the retention period for the Personal Data being Processed

· if you are unsure about what security or other measures you need to implement to protect Personal Data

· if there has been a Personal Data Breach

· if you are unsure on what basis to transfer Personal Data outside the EEA

· if you need any assistance dealing with any rights invoked by a Data Subject

· whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes others than what it was collected for

· if you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making

· if you need help complying with applicable law when carrying out direct marketing activities; or

· if you need help with any contracts or other areas in relation to sharing Personal Data with Third Parties (including our vendors).

We regularly update our privacy policy.