DATA PROTECTION: FAIR PROCESSING NOTICE
IN-SYNC Group Ltd, takes the protection and privacy of personal data seriously. This Fair Processing Notice explains how we use, protect and store personal data before, during and after being a customer of IN-SYNC Group.
Our contact details
4 The Millennium Centre,
Crosby Way,
Farnham,
Surrey, GU9 7XX
Telephone number: 01252 70 40 30
Our Data Protection Officer can be emailed at dpo@in-syncgroup.com.
What personal data do we collect about you, how do we use that personal data, and what is our legal basis?
We need a legal basis in order to process your personal data. Any data we process is because we either have a contract with you (or you wish to obtain a contract with us), we have a legal obligation to do so, or because it is a legitimate activity. On occasion, we will seek your consent to process your personal data, but you are free to refuse.
When you are a customer or wish to become a customer of IN-SYNC Group, we collect and process your personal data:
- in order to fulfil our terms of service with you;
- to fulfil our legal obligations to prevent money laundering, fraud and terrorist financing;
- where the activity is a legitimate one for a business; and
- with your consent for marketing.
We process your personal data because we have a contract with you, you would like to enter into a contract with us or it is a legitimate business activity.
We process the following data to provide you with tax or vat services and to contact you. Our legal basis to do so is because we have a contract with you or you would like to enter into a contract with us.
- your name
- address
- date of birth
- NI number
- home phone
- mobile
- email address
- your financial data
- your employment data
- Unique Tax Reference number (UTR, verification for tax and CIS)
Once you become a customer of IN-SYNC Group, we will assign you a customer unique identifier number as this is a legitimate activity in order to avoid any system errors or mistakes in making payments.
We will send you tax and VAT updates and useful information as part of our contractual service with you.
In order to provide you with the most appropriate accounting services, we may need to process the personal data of your family members (name, address, DOB and potential other personal data or financial data) but only if they provide services to, or on behalf of your business.
IN-SYNC Group will share your data with our other companies, within the Group, for administrative and reporting purposes only. This is legitimate activity for us.
If you are using the services of one or more of the Group Companies their Fair Processing Notices can be requested by emailing support@in-syncuk.com:
We process your personal data because we have a legal obligation to do so.
In order to comply with our legal obligations to prevent money laundering, fraud and terrorist financing, we will process some of the following data:
- passport (name, DOB, facial biometrics, passport number, nationality, gender, place of birth, signature);
- Biometric Residents Permit (name, date and place of birth/ biometrics - fingerprints and a photo of face/ immigration status / access to public funds);
- identity card issued by the Electoral Office for Northern Ireland (name, DOB, photo);
- valid photo card driving license (name, DOB, signature);
- recent evidence of entitlement to a state- or local authority-funded benefit, including housing benefit, council tax benefit, tax credits, state pension, educational or other grant (name, address, DOB, NI number);
- current council tax letter or statement (name, address);
- HMRC-issued tax notification (name, address, DOB, NI number);
- end of year tax deduction certificates (name, address, DOB, NI);
- current bank statements or credit/debit card statements (name, address);
- current utility bill (name, address);
- date of birth (for age verification and general identity);
- instrument of a court appointment, such as a liquidator or grant of probate (name, address);
In order to process the identity checks, we will use credit reference agencies (“CRAs”). These checks are regulatory requirements.
To do this, we will supply your personal information to CRAs and they will give us information about you. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- Verify the accuracy of the data you have provided to us; and
- Prevent criminal activity and fraud.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
IN-SYNC Group uses Callcredit as our CRA. Callcredit’s role is also as a fraud prevention agency, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with Callcredit are explained in more detail at www.callcredit.co.uk/crain
We process your personal data with your consent and where it is a legitimate business activity.
We will send you information pertaining to IN-SYNC Group because you are a customer of ours as this is a legitimate business activity. We will also send you this information for one year after you have left IN-SYNC Group as you may wish to come back to us and this is a legitimate activity.
We will send you marketing information and newsletters from other companies in the IN-SYNC Group only when you consent for us to do so.
We will send you marketing information from certain third parties, only where this is linked to the provision of any financial service through an IN-SYNC Group company, and is a legitimate business activity. You can limit or withdraw consent for this marketing at any time.
Should you choose to engage with such a third party service provider you will be provided with a separate Data Protection processing notice in respect of that service from the relevant service provider.
We will ask for feedback on our products or services in order to monitor and improve our service delivery, and this is a legitimate activity for us. You can complete these questionnaires if you wish to, however you are not obliged to do so. These questionnaires are not anonymous.
You have the right to unsubscribe to marketing at any time. If you do choose to unsubscribe, we will keep your name and email address on a suppression list so that we don’t email you again by accident and this is a legitimate activity for us.
If you are on our suppression list, you will still receive communications that are necessary to the performance of your chosen services, or notifications to avoid you missing deadlines and/or incurring penalties.
How long do we hold your personal data?
We will hold your personal data that was collected for anti-money laundering purposes for five years from when you ceased a relationship with IN-SYNC Group, after which it will be destroyed. This is in accordance with Anti-Money Laundering Regulations.
We will hold the personal data that was collected for the purposes of providing you with
accounting service while you are a customer and for seven years, after which it will be destroyed. This is in accordance with HMRC guidance.
If you have started the process to become a customer and then changed your mind, we will hold your data for two years, after which it will be destroyed. We hold it for two years in case it is required for by law enforcement agencies or for legal reasons.
We will hold your name, email and phone number to send you marketing information as long as you would like us to do so. If you withdraw your consent, we will hold this data for five years in a suppression list so that we don’t market to you against your wishes and this is a legitimate activity for us.
Do we use any automated decision making?
We do not use any automated decision making.
Who do we share your personal data with?
Depending on your chosen services and our requirements, we may share your personal data with the following recipients:
- HMRC for the purpose of providing your chosen services and responding to requests for information;
- National Crime Agency, Action Fraud and any other competent and authorised body for the prevention, detection and investigation of money laundering, fraud or terrorist financing;
- the Financial Conduct Authority (FCA) for the purposes of any business activity regulated by the FCA (including Consumer Credit and Money Services);
- the Financial Ombudsman Service (FOS) to resolve any complaint or dispute involving the FOS;
- our software, technology applications, database providers (Campaign Monitor Pty Ltd, Docusign UK Ltd, IRIS Software Ltd, Microsoft, SmartSheet Inc, TextAnywhere Ltd, Text Marketer Ltd, Signable Ltd, OVH, Symantec, Veritas, Gamma Horizon, Akixi, Zendesk, MFG, Hubspot, Quotevine, Instapage, Landingi, Facebook, Google, LinkedIn, Umbraco, Wordpress, Outgrow, YouTube, Outbrain, Plivo, The SMS Works, Merit, Feefo) necessary for recording, securing and updating your personal details and administering services internally as well as external communications;
- Callcredit Information Group Ltd for the purpose of identification, address and bank account verification;
- Barclays Bank Plc for the purpose of making payments;
- Capita Pay360 for the purpose of administering payments;
- companies that verify publicly available documents and information (e.g. Credit Reference Agencies, Home Office);
- ARC (Europe) Ltd for the purposes of collecting aged debtors;
- Compliancy Services Ltd for the 3rd party auditing of FCA and general compliance;
- business outsource partners conducting processing activities on our behalf, and in order to perform certain elements of the contract we have in place with you;
- High Court Enforcement Officers Association for the purposes of enforcing High Court writs to seize and sell assets to settle unpaid judgements;
- Information Commissioners Office in the event of a request for information or breach;
- IN-SYNC Group Companies (only with your express consent) for marketing relevant services;
- Legal advisors and consultants
- Insurance companies.
Do we transfer your personal data outside of the EU or EEA?
Your data is kept in the EU or EEA except for data that is processed by SmartSheet Inc, a technology application used by us to create administrative spreadsheets.
SmartSheet Inc is located in the USA, which is non-adequate country for data transfer as determined by the European Commission. Your data is protected by SmartSheet Inc by the Data Processing Addendum (“DPA”) they have in place, which incorporates the Standard Contractual Clauses (“SCC”) to ensure there is a valid transfer mechanism in place in accordance with the GDPR and Smartsheet regularly reviews its practices to ensure that it treats all data in accordance with Article V Standards of the GDPR. Details of which can be found here https://www.smartsheet.com/legal/DPA. Smartsheet continues to maintain its participation in and have certified their compliance with the EU-U.S. and US-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”) although this has been invalidated by the European Court of Justice, Smartsheet is committed to continuing to protect personal data in accordance with the Privacy Shield Principles.
Your Rights
You have a number of rights in respect of our processing of your personal data which are:
- To access to your personal data and information about our processing of it. You also have the right to request a copy of your personal data (but we will need to remove information about other people).
- To rectify incorrect personal data that we are processing.
- To request that we erase your personal data if:
- we no longer need it;
- if we are processing your personal data by consent and you withdraw that consent;
- if we no longer have a legitimate ground to process your personal data; or
- we are processing your personal data unlawfully.
- To object to our processing if it is by legitimate interest;
- To restrict our processing if it was by legitimate interest;
- To request that your personal data be transferred from us to another company if we were processing your data under a contract or with your consent and the processing is carried out automated means.
If you want to exercise any of these rights, please contact us on 01252 70 40 30 or email our Data Protection Office on dpo@IN-SYNCgroup.com.
You also have the right to lodge a complaint about our processing with the UK's Information Commissioner's Office.