CLIENT LOGIN

Privacy Notice

Your privacy matters to us

Policy document last updated: March 2020

The Purpose of this Notice

Nimbus Accounting Limited trading as Nimbus Chartered Accountants (“Nimbus”, the “Company”, “we” or “us”), are committed to maintaining the accuracy, confidentiality and security of your Personal Data in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (the “DP Law”) together with any other relevant laws, regulations and secondary legislation as amended from time to time.

As required under the Law, this Privacy Notice provides details of the information gathered on Nimbus, its clients, Directors and employees (including temporary) and includes suppliers, business contacts and other people the organisation has a relationship with or may have received Personal Data from.

This Privacy Notice includes how this Personal Data must be collected, handled and stored to meet the Company’s Data protection standards – and to comply with the DP Law. The DP Law applies regardless of whether Personal Data is stored electronically, on paper or on other materials.

What is Personal Data?

For the purposes of this Privacy Notice, Personal Data is any information about an identifiable individual, other than the person’s business title or business contact information when used or disclosed for the purpose of business communications. Personal Data does not include anonymous or non-identifiable information (i.e. information that cannot be associated with or tracked back to a specific individual).

Personal Data we collect, process, and hold includes (amongst other):

  • Name and residential address 
  • Date of birth
  • Contact details in relation to proposed services or the provision of services we provide or your preferred method of our communications with you
  • Details of any services you may have received from us or continue to receive from us
  • Identification numbers and documents (i.e. TIN’s and passport numbers)
  • Various financial information including assets, liabilities, and transactions
  • Tax Information
  • Bank statements
  • Citizenship
  • Occupation
  • Information received from research or other sources, such as publicly available information
  • Information relating to requirements set out in the Guernsey Financial Services Commission’s Handbook on Countering Financial Crime and Terrorist Financing
  • Information received from background or criminal record checks as appropriate
  • Information provided by you in our dealings with you including employment data, professional qualifications, payroll data, expense claims, accounting and tax records and other items such as these which may contain Personal Data

Why we collect and use this information:

Nimbus will collect Personal Data for the purpose of conducting our contracted services such as the provision of accounting, bookkeeping and tax related services.

Nimbus will also collect Personal Data for the purpose of fulfilling AML regulations on knowing your clients and staff.

We usually collect this Personal Data directly from you however on occasions we do collect Personal Data from third parties, with your permission (such as from a previous accountant) or from public sources.

We do not use automated means to collect Personal Data.

We will not collect any personal information that identifies a visitor to our website individually unless you choose to identify yourself by completing a contact form. We will only hold this Personal Data for the purpose of replying to your query.

We do not intend to process your Personal Data for a purpose other than that for which it was collected, however, if circumstances change, we will provide you with information on the intended purpose and any other relevant information.

Storing this information

We may hold your Personal Data both in hard copy files and on IT systems. All Personal Data obtained will be retained securely and only used for the purposes set out in the DP Law and in accordance with the purposes for which it was collected. Nimbus has a Data Retention policy and all hard copy documentation and electronic documentation will be stored securely and returned or erased from the company records following a set period after the termination of our relationship with you. This is generally six years after the contractual relationship has terminated unless a longer period is required in order to comply with laws & regulation.

Who we share this information with?

Personal Data and relevant information may be shared with staff members of Nimbus and will only be shared with external trusted service providers where a contract is in place with us, such as:

  • Information technology providers and Data processors that comply with the EU-US Privacy Shield Framework
  • Third party service providers relevant to our work (such as compliance / IT / cyber security / legal advisors)
  • Subcontractors under contract

A full list of service providers used in relation to your Personal Data can be provided on request.

Any request for Personal Data made by a financial services regulator or public authority or governmental body with jurisdiction over Nimbus will be complied with.

Contractors and sub-processors will only be used by us to process Personal Data where they meet the requirements of the DP Law and Nimbus shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Nimbus or any such approved contractor or sub-processor who may have access to Personal Data, ensuring that all such individuals are subject to confidentiality agreements or other professional or statutory obligations of confidentiality.

Privacy and Personal Data protection principles vary from one country to another. We draw your attention to the fact that Guernsey law extends only to Guernsey territory and that all Personal Data transmitted abroad therefore ceases to enjoy any protection under Guernsey law.

We do not in the normal course of our business transfer Personal Data outside of the Bailiwick of Guernsey and the European Economic Area although certain Data processors host their servers outside of the EEA. Should such a transfer be deemed necessary, we will ensure contractual safeguards are in place with any third party as relevant or that the Data processor has EEA Data protection regulation equivalence or compliance with the EU-US Privacy Shield.

No information collected will be disclosed to any third party, other than in accordance with the terms set out below:

  • where we (or any third party acting on our behalf) are legally compelled to do so
  • where there is a duty to the public to disclose
  • where our interests require disclosure (where we receive a legal request to disclose)
  • where disclosure is made at your request or with your consent
  • where disclosure forms part of our contractual agreement

Data Security

We will take appropriate security measures to safeguard Personal Data against unlawful or unauthorised Data Processing and against accidental loss or damage, misuse or disclosure, and to ensure that it is not accessed except by our employees in the proper performance of their duties. We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.

Personal Data will only be transferred to a Data Processor if that Data Processor agrees to comply with those procedures and policies or if he or she puts in place adequate measures themselves.

We have put in place procedures to deal with any suspected Personal Data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

In the case of a breach, steps will be taken to identify exactly what information has been breached and action taken to limit the adverse consequences.

Complaints

Should you wish to complain to Nimbus, please do so in writing to the address stated in the “Contact us” Section below.

Section 67 of the DP Law provides a right for you to complain directly to the Office of the Data Protection Authority for the Bailiwick of Guernsey. Sections 82 and 83 of the DP Law provides for rights of appeal. Where that complaint relates to the processing of your Personal Data by Nimbus, specific procedures can be found on the Authority’s website www.odpa.gg.

Your Rights

Under the EU’s General Data Protection Regulation (GDPR) and the DP Law, you have specific legal rights and responsibilities with regards to your Personal Data. These rights have been summarised in Appendix 1.

Contact us at:

Registered Office Address: Pula House, La Grande Rue, St Martins, Guernsey, GY4 6RT
Telephone: +(01481) 234438 –  email [email protected]

 

APPENDIX 1

Right to information for Personal Data collected from Data subject

You have a right to be given various information about the Personal Data we hold about you along with a statement as to whether the provision of your Personal Data is a statutory or contractual requirement.

Right of Access

You have the right to request a copy of the Personal Data that we hold about you and why, by submitting a ‘subject access request’.

Right to Personal Data Portability

You may also ask us to move, or ‘port’, your Personal Data to another organisation electronically. We will only port Personal Data that you have provided to us, that we have processed based on your consent or in the performance of a contract. We will port your Personal Data without charge and within one month, where technically feasible.

Exception to right of portability or access involving disclosure of another individual’s Personal Data.

Where we are unable to comply with a request made by you without disclosing information relating to another individual who is identified or identifiable from that information, we have the right to refuse provision or transmission.

Rights to Object

You have the right to require us to cease processing of your Personal Data for direct marketing purposes, on grounds of public interest or for historical or scientific purposes.

Right to Rectification

We want to make sure that your Personal Data is accurate, complete and up to date. You have the right to ask us to rectify or change the Personal Data, you think is inaccurate or incomplete, and we ask that you inform us promptly of any changes to your circumstances.

Right to Erasure

You may also ask us to erase your Personal Data from our systems, in certain circumstances. There are some specific circumstances where the right to erasure does not apply and we are permitted to hold your Personal Data. We will explain the reason for this at the time if this should occur.

Right to Restriction of Processing

You have a right to request that we stop, restrict or do not begin the processing of your Personal Data in certain circumstances such as where it is causing, or is likely to cause, substantial unwarranted damage or substantial distress to you or anyone else. We will inform our third parties to whom we have disclosed your Personal Data that they must also restrict processing. We will inform you when the restriction on processing your Personal Data ends.

Right not to be subject to decisions based on automated processing

You have a right not to be subjected to an automatic decision and we would only allow automated processing with your consent or if it is necessary to protect your vital interests.