Policy document last updated: March 2020
Nimbus Accounting Limited trading as Nimbus Chartered Accountants (“Nimbus”, the “Company”, “we” or “us”), are committed to maintaining the accuracy, confidentiality and security of your Personal Data in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (the “DP Law”) together with any other relevant laws, regulations and secondary legislation as amended from time to time.
As required under the Law, this Privacy Notice provides details of the information gathered on Nimbus, its clients, Directors and employees (including temporary) and includes suppliers, business contacts and other people the organisation has a relationship with or may have received Personal Data from.
This Privacy Notice includes how this Personal Data must be collected, handled and stored to meet the Company’s Data protection standards – and to comply with the DP Law. The DP Law applies regardless of whether Personal Data is stored electronically, on paper or on other materials.
For the purposes of this Privacy Notice, Personal Data is any information about an identifiable individual, other than the person’s business title or business contact information when used or disclosed for the purpose of business communications. Personal Data does not include anonymous or non-identifiable information (i.e. information that cannot be associated with or tracked back to a specific individual).
Nimbus will collect Personal Data for the purpose of conducting our contracted services such as the provision of accounting, bookkeeping and tax related services.
Nimbus will also collect Personal Data for the purpose of fulfilling AML regulations on knowing your clients and staff.
We usually collect this Personal Data directly from you however on occasions we do collect Personal Data from third parties, with your permission (such as from a previous accountant) or from public sources.
We do not use automated means to collect Personal Data.
We will not collect any personal information that identifies a visitor to our website individually unless you choose to identify yourself by completing a contact form. We will only hold this Personal Data for the purpose of replying to your query.
We do not intend to process your Personal Data for a purpose other than that for which it was collected, however, if circumstances change, we will provide you with information on the intended purpose and any other relevant information.
We may hold your Personal Data both in hard copy files and on IT systems. All Personal Data obtained will be retained securely and only used for the purposes set out in the DP Law and in accordance with the purposes for which it was collected. Nimbus has a Data Retention policy and all hard copy documentation and electronic documentation will be stored securely and returned or erased from the company records following a set period after the termination of our relationship with you. This is generally six years after the contractual relationship has terminated unless a longer period is required in order to comply with laws & regulation.
Personal Data and relevant information may be shared with staff members of Nimbus and will only be shared with external trusted service providers where a contract is in place with us, such as:
A full list of service providers used in relation to your Personal Data can be provided on request.
Any request for Personal Data made by a financial services regulator or public authority or governmental body with jurisdiction over Nimbus will be complied with.
Contractors and sub-processors will only be used by us to process Personal Data where they meet the requirements of the DP Law and Nimbus shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Nimbus or any such approved contractor or sub-processor who may have access to Personal Data, ensuring that all such individuals are subject to confidentiality agreements or other professional or statutory obligations of confidentiality.
Privacy and Personal Data protection principles vary from one country to another. We draw your attention to the fact that Guernsey law extends only to Guernsey territory and that all Personal Data transmitted abroad therefore ceases to enjoy any protection under Guernsey law.
We do not in the normal course of our business transfer Personal Data outside of the Bailiwick of Guernsey and the European Economic Area although certain Data processors host their servers outside of the EEA. Should such a transfer be deemed necessary, we will ensure contractual safeguards are in place with any third party as relevant or that the Data processor has EEA Data protection regulation equivalence or compliance with the EU-US Privacy Shield.
No information collected will be disclosed to any third party, other than in accordance with the terms set out below:
We will take appropriate security measures to safeguard Personal Data against unlawful or unauthorised Data Processing and against accidental loss or damage, misuse or disclosure, and to ensure that it is not accessed except by our employees in the proper performance of their duties. We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
Personal Data will only be transferred to a Data Processor if that Data Processor agrees to comply with those procedures and policies or if he or she puts in place adequate measures themselves.
We have put in place procedures to deal with any suspected Personal Data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
In the case of a breach, steps will be taken to identify exactly what information has been breached and action taken to limit the adverse consequences.
Should you wish to complain to Nimbus, please do so in writing to the address stated in the “Contact us” Section below.
Section 67 of the DP Law provides a right for you to complain directly to the Office of the Data Protection Authority for the Bailiwick of Guernsey. Sections 82 and 83 of the DP Law provides for rights of appeal. Where that complaint relates to the processing of your Personal Data by Nimbus, specific procedures can be found on the Authority’s website www.odpa.gg.
Under the EU’s General Data Protection Regulation (GDPR) and the DP Law, you have specific legal rights and responsibilities with regards to your Personal Data. These rights have been summarised in Appendix 1.
Registered Office Address: Pula House, La Grande Rue, St Martins, Guernsey, GY4 6RT
Telephone: +(01481) 234438 – email [email protected]
You have a right to be given various information about the Personal Data we hold about you along with a statement as to whether the provision of your Personal Data is a statutory or contractual requirement.
You have the right to request a copy of the Personal Data that we hold about you and why, by submitting a ‘subject access request’.
You may also ask us to move, or ‘port’, your Personal Data to another organisation electronically. We will only port Personal Data that you have provided to us, that we have processed based on your consent or in the performance of a contract. We will port your Personal Data without charge and within one month, where technically feasible.
Where we are unable to comply with a request made by you without disclosing information relating to another individual who is identified or identifiable from that information, we have the right to refuse provision or transmission.
You have the right to require us to cease processing of your Personal Data for direct marketing purposes, on grounds of public interest or for historical or scientific purposes.
We want to make sure that your Personal Data is accurate, complete and up to date. You have the right to ask us to rectify or change the Personal Data, you think is inaccurate or incomplete, and we ask that you inform us promptly of any changes to your circumstances.
You may also ask us to erase your Personal Data from our systems, in certain circumstances. There are some specific circumstances where the right to erasure does not apply and we are permitted to hold your Personal Data. We will explain the reason for this at the time if this should occur.
You have a right to request that we stop, restrict or do not begin the processing of your Personal Data in certain circumstances such as where it is causing, or is likely to cause, substantial unwarranted damage or substantial distress to you or anyone else. We will inform our third parties to whom we have disclosed your Personal Data that they must also restrict processing. We will inform you when the restriction on processing your Personal Data ends.
You have a right not to be subjected to an automatic decision and we would only allow automated processing with your consent or if it is necessary to protect your vital interests.