MAY 2019


This policy outlines the data protection procedures we have adopted and to which we abide to ensure we are GDPR compliant.

Definitions in this Privacy Notice


Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.

Data Controller: AJM Accountancy & Bookkeeping Ltd has determined the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws.  Any questions about the operation of this Notice or any concerns that the Notice has not been followed should be referred in the first instance to the Data Protection Officer.

Data Protection Officer: Michelle Chappell, Director, is the appointed officer who is responsible for awareness-raising, training staff and informing and advising the Data Controller, Data Processors and Data Users how to ensure compliance with the enactments, and to monitor that compliance. 

Data Processor: Any person or organisation that is not a Data User that processes personal data on our behalf and in accordance with our specific instructions. Our staff will be excluded from this definition but, the definition could include suppliers who handle personal data on our behalf.

Data Subjects: All living individuals about whom we hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.

Data users: Our employees whose work involves processing your Personal Data. Data users are responsible for the proper use of the data they process and must protect the data they handle in accordance with this Notice.

The Enactments: The General Data Protection Regulations 2017 (GDPR) regulates the way in which all Personal Data is held and processed.

Personal Data: Information which can be used to directly or indirectly identify a living individual.

Processing: Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring personal data to third parties.

Supervisory Authority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by in a particular EU state.  In the case of the UK the Supervisory Authority is the: Information Commissioner’s Office. 

Sensitive Personal Data: This includes information about a person's race, ethnicity, political opinions, convictions, religion, trade union membership, physical and/or mental health, and sexual preference. Sensitive personal data can only be processed with the express written consent of the person concerned.



Data Controller

AJM Accountancy & Bookkeeping Ltd is the Data Controller for the purposes of GDPR.

Purpose and basis for processing

As a Data User, AJM Accountancy & Bookkeeping Ltd and our employees will need to collect, process and store information about your business, its directors, employees and prospective employees for the purposes of providing our accountancy and bookkeeping services. This information will be used for our management and administrative use only. Data will be kept and used to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately. This includes using information to enable us to comply with the contract of service we have with you, to comply with any legal requirements, pursue the legitimate interests of the Company and protect our legal position in the event of legal proceedings.  


Where we process information for reasons other than stated above, we will ask you to obtain consent from the Data Subject.  The Data Subject has the right to withdraw their consent at any time and you will be required to confirm this when you ask for their consent.

Types of data being processed

The sort of information we will hold/process includes: -

Contact details, bank details and statements, HMRC details, Previous accountant details, payroll and salary information, pension information, next of kin details, letters to mortgage/loans providers; benefits and expenses information; leave and sickness records;  

Sources of data

Most of the information will be provided by you but in some instances it may have come from third parties such as verified data collection agencies or HMRC.

Contractual basis of data provision

Such data is required to enable AJM Accountancy & Bookkeeping Ltd to provide accountancy and bookkeeping services.

If you do not provide this data, we may be unable in some circumstances to comply with our obligations under our contract of service and we will tell you about the implications of that decision. 

We will ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data has changed, you are entitled to contact us and request that your Personal Data is amended. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data. 


Automated Decision Making

We do not use automated decision making.


Data Retention periods

Data will only be retained for as long as legitimately necessary given the type of data, approximately 6 years.  Once Personal Data is no longer required, we will take all reasonable steps to destroy and erase it.  


Keeping Your Personal Data Secure

Our employees and contracted personnel are bound to our privacy policies, procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.  We maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and when we do so we abide by the following definitions:


Confidentiality: We ensure that, the only people authorised to use your personal data can access it. Employees are prohibited from accessing and viewing your personal data unless it is necessary to do so.

Integrity: We will make certain that your Personal Data is accurate and suitable for the purpose for which it is processed.

Availability: We have established procedures which mean only our authorised Data Users should be able to access your Personal Data if they need it for authorised purposes.


We also maintain security procedures which include, but are not limited to:

  • Secure lockable desks and cupboards which are kept locked if they hold your personal data.

  • Paper documents containing Personal Data are shredded and digital storage devices shall be physically destroyed when they are no longer required.

  • Data Users are appropriately trained and supervised in accordance with this Notice which include requirements that computer monitors do not show confidential information to passers-by and that Data Users log off from or lock their PC/electronic device when it is left unattended.

  • Our computers have appropriate password security, boundary firewalls and effective anti-malware defences.  We routinely back-up electronic information to assist in restoring information in the event of disaster and our software is kept up-to-date with the latest security patches.


One or all of the following measures shall be applied to the personal data held; separating the personal data and/or pseudonymisation and/or the encoding of the data


We shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.


Data Sharing

We will only disclose the personal data provided by you to third parties (Data Processor outside of our business) if we are legally obliged to do so (eg Anti-Money Laundering purposes) or where we need to in order to comply with our contractual duties to you and the Data Processor agrees to comply with our procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which we consider adequate and are in accordance with the Enactments (eg – accounting software such as Quick Books, Sage, Xero etc)


Transfers of data outside of Europe

We shall only transfer any Personal Data we hold to a country outside the European Economic Area ("EEA"), if one of the following conditions applies; The country to which your Personal Data shall be transferred ensures an adequate level of protection and can ensure your legal rights and freedoms, you have given your consent that your Personal Data is transferred, the transfer is necessary for one of the reasons set out in the Enactments, including the performance of a contract between you and us, or to protect your vital interests, The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims, the transfer is authorised by the ICO and we have received evidence of adequate safeguards being in place regarding the protection of your privacy, your fundamental rights and freedoms, and which allow your rights to be exercised.


Rights of Data Subjects

Data Subjects have the right to request access to, rectification of or erasure of their personal data.

You have the right to lodge a complaint to the Information Commissioner’s Office if you believe AJM Accountancy & Bookkeeping Ltd has not complied with the requirements of the GDPR or The Data Protection Act.

We keep our privacy policy under regular review and reserve the right to amend and update the policy as required. Where appropriate, we will notify you of those changes by mail, email and/or by placing an updated version of the policy on our portal/website.



If you have any concerns as to how your data is processed, please contact our Data Protection Officer; Michelle Chappell, Director,