Emotionally intelligent accountants

Emotionally intelligent accountants

Tel: 01305 760 600

Our GDPR Policy

Advoco – General Data Protection Regulation 2018 (GDPR) Privacy Programme
What we are doing to comply with GDPR.
As an organisation that handles personal data, Advoco is committed to ensuring that we are compliant with GDPR.
Some of the steps we have taken and are taking include:
● Keeping an audit trail of all data handled by Advoco and our Processors● Analysing GDPR requirements against our current processes and policies● Making changes to our processes in line with requirements● Reviewing and updating Contracts and our Privacy Programme, as and where required● Training all staff on the requirements of GDPR and Advoco’s data privacy procedures● With our Privacy Programme, we aim to ensure that data privacy is a day to day consideration in all aspects of our business, for all of our team members and is central to how we work.
By maintaining our commitment to these principles, we will ensure that we respect the inherent trust that you place in Advoco.

Advoco SW Limited Data Retention Policy
1st May 2021

1) Introduction
This Policy sets out the obligations of Advoco SW Limited, a company registered inEngland under number 4593365, whose registered office is at 14a Albany Road,Granby Industrai (“the Company”) regarding retention of personal data collected,held, and processed by the Company in accordance with EU Regulation 2016/679General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one whocan be identified, directly or indirectly, in particular by reference to an identifier suchas a name, an identification number, location data, an online identifier, or to one ormore factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR also addresses “special category” personal data (also known as“sensitive” personal data). Such data includes, but is not necessarily limited to, dataconcerning the data subject’s race, ethnicity, politics, religion, trade unionmembership, genetics, biometrics (if used for ID purposes), health, sex life, or sexualorientation.
Under the GDPR, personal data shall be kept in a form which permits theidentification of data subjects for no longer than is necessary for the purposes forwhich the personal data is processed. In certain cases, personal data may be storedfor longer periods where that data is to be processed for archiving purposes that arein the public interest, for scientific or historical research, or for statistical purposes(subject to the implementation of the appropriate technical and organisationalmeasures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Datasubjects have the right to have their personal data erased (and to prevent theprocessing of that personal data) in the following circumstances:
a) Where the personal data is no longer required for the purpose for which it wasoriginally collected or processed (see above);
b) When the data subject withdraws their consent;
c) When the data subject objects to the processing of their personal data and theCompany has no overriding legitimate interest;
d) When the personal data is processed unlawfully (i.e. in breach of the GDPR);
e) When the personal data has to be erased to comply with a legal obligation; or
f) Where the personal data is processed for the provision of information societyservices to a child.
This Policy sets out the type(s) of personal data held by the Company, the period(s)for which that personal data is to be retained, the criteria for establishing andreviewing such period(s), and when and how it is to be deleted or otherwise disposedof.
For further information on other aspects of data protection and compliance with theGDPR, please refer to the Company’s Data Protection Policy.
2. Aims and Objectives
2.1 The primary aim of this Policy is to set out limits for the retention of personaldata and to ensure that those limits, as well as further data subject rights toerasure, are complied with. By extension, this Policy aims to ensure that theCompany complies fully with its obligations and the rights of data subjectsunder the GDPR.
2.2 In addition to safeguarding the rights of data subjects under the GDPR, byensuring that excessive amounts of data are not retained by the Company,this Policy also aims to improve the speed and efficiency of managing data.
3. Scope
3.1 This Policy applies to all personal data held by the Company and by thirdparty data processors processing personal data on the Company’s behalf.
3.2 Personal data, as held by the Company and by third-party data processors isstored in the following ways and in the following locations:a) The Company’s servers, located in 14a Albany Road, Granby IndustrialEstate, Weymouth DT4 9TH
b) Computers permanently located in the Company’s premises at 14a AlbanyRoad, Granby Industrial Estate, Weymouth DT4 9TH
c) Laptop computers provided by the Company to its employees;
d) Physical records stored in 14a Albany Road, Granby Industrial Estate,Weymouth DT4 9TH;
4. Data Subject Rights and Data Integrity
All personal data held by the Company is held in accordance with the requirements ofthe GDPR and data subjects’ rights thereunder, as set out in the Company’s DataProtection Policy.
4.1 Data subjects are kept fully informed of their rights, of what personal data theCompany holds about them, how that personal data is used as set out in Parts12 and 13 of the Company’s Data Protection Policy, and how long theCompany will hold that personal data (or, if no fixed retention period can bedetermined, the criteria by which the retention of the data will be determined).
4.2 Data subjects are given control over their personal data held by the Companyincluding the right to have incorrect data rectified, the right to request that theirpersonal data be deleted or otherwise disposed of (notwithstanding theretention periods otherwise set by this Data Retention Policy), the right torestrict the Company’s use of their personal data, the right to data portability,and further rights relating to automated decision-making and profiling, as setout in Parts 14 to 20 of the Company’s Data Protection Policy.
5. Technical and Organisational Data Security Measures
5.1 The following technical measures are in place within the Company to protectthe security of personal data. Please refer to Parts 22 to 26 of the Company’sData Protection Policy for further details:
a) All emails containing personal data must be encrypted;
b) All emails containing personal data must be marked “confidential”;
c) Personal data may only be transmitted over secure networks;
d) Personal data may not be transmitted over a wireless network if there is areasonable wired alternative;
e) Personal data contained in the body of an email, whether sent or received,should be copied from the body of that email and stored securely. The emailitself and associated temporary files should be deleted;
f) Where personal data is to be sent by facsimile transmission the recipientshould be informed in advance and should be waiting to receive it;
g) Where personal data is to be transferred in hardcopy form, it should bepassed directly to the recipient or sent using The Royal Mail;
h) All personal data transferred physically should be transferred in a suitablecontainer marked “confidential”;
i) No personal data may be shared informally and if access is required to anypersonal data, such access should be formally requested from the Director.
j) All hardcopies of personal data, along with any electronic copies stored onphysical media should be stored securely;
k) No personal data may be transferred to any employees, agents, contractors,or other parties, whether such parties are working on behalf of the Companyor not, without authorisation;
l) Personal data must be handled with care at all times and should not be leftunattended or on view;
m) Computers used to view personal data must always be locked before beingleft unattended;
n) No personal data should be stored on any mobile device, whether such devicebelongs to the Company or otherwise without the formal written approval ofthe Director and then strictly in accordance with all instructions and limitationsdescribed at the time the approval is given, and for no longer than isabsolutely necessary;
o) No personal data should be transferred to any device personally belonging toan employee and personal data may only be transferred to devices belongingto agents, contractors, or other parties working on behalf of the Companywhere the party in question has agreed to comply fully with the Company’sData Protection Policy and the GDPR;
p) All personal data stored electronically should be backed u[p periodically withbackups stored onsite offsite. All backups should be encrypted;
q) All electronic copies of personal data should be stored securely usingpasswords and encryption;
r) All passwords used to protect personal data should be changed regularly and must be secure;
s) Under no circumstances should any passwords be written down or shared. If apassword is forgotten, it must be reset using the applicable method. IT staff donot have access to passwords;
t) All software should be kept up-to-date. Security-related updates should beinstalled as soon as reasonably possible after becoming available;
u) No software may be installed on any Company-owned computer or devicewithout approval; and
v) Where personal data held by the Company is used for marketing purposes, itshall be the responsibility of the Director to ensure that the appropriateconsent is obtained and that no data subjects have opted out, whether directlyor via a third-party service such as the TPS.
5.2 The following organisational measures are in place within the Company toprotect the security of personal data. Please refer to Part 27 of the Company’sData Protection Policy for further details:
a) All employees and other parties working on behalf of the Company shall bemade fully aware of both their individual responsibilities and the Company’sresponsibilities under the GDPR and under the Company’s Data ProtectionPolicy;
b) Only employees and other parties working on behalf of the Company thatneed access to, and use of, personal data in order to perform their work shallhave access to personal data held by the Company;
c) All employees and other parties working on behalf of the Company handlingpersonal data will be appropriately trained to do so;
d) All employees and other parties working on behalf of the Company handlingpersonal data will be appropriately supervised;
e) All employees and other parties working on behalf of the Company handlingpersonal data should exercise care and caution when discussing any workrelating to personal data at all times;
f) Methods of collecting, holding, and processing personal data shall be regularlyevaluated and reviewed;
g) The performance of those employees and other parties working on behalf ofthe Company handling personal data shall be regularly evaluated andreviewed;
h) All employees and other parties working on behalf of the Company handlingpersonal data will be bound by contract to comply with the GDPR and theCompany’s Data Protection Policy;
i) All agents, contractors, or other parties working on behalf of the Companyhandling personal data must ensure that any and all relevant employees areheld to the same conditions as those relevant employees of the Companyarising out of the GDPR and the Company’s Data Protection Policy;
j) Where any agent, contractor or other party working on behalf of the Companyhandling personal data fails in their obligations under the GDPR and/or theCompany’s Data Protection Policy, that party shall indemnify and holdharmless the Company against any costs, liability, damages, loss, claims orproceedings that may arise out of that failure.
6. Data Disposal
Upon the expiry of the data retention periods set out below in Part 7 of this Policy, orwhen a data subject exercises their right to have their personal data erased, personaldata shall be deleted, destroyed, or otherwise disposed of as follows:
6.1 Personal data stored electronically (including any and all backups thereof)shall be deleted;
6.2 Personal data stored in hardcopy form shall be disposed of through controlledconfidential waste consoles or cross shredded and recycled.
7. Data Retention
7.1 As stated above, and as required by law, the Company shall not retain anypersonal data for any longer than is necessary in light of the purpose(s) forwhich that data is collected, held, and processed.
7.2 Different types of personal data, used for different purposes, will necessarilybe retained for different periods (and its retention periodically reviewed).
8. Roles and Responsibilities
8.1 The Company’s Data Protection Officer is Alan Rodgers, 14a Albany Road,Granby Industrial Estate, Weymouth DT4 9TH;
8.2 The Data Protection Officer shall be responsible for overseeing theimplementation of this Policy and for monitoring compliance with this Policy,the Company’s other Data Protection-related policies (including, but not limitedto, its Data Protection Policy), and with the GDPR and other applicable dataprotection legislation;
8.3 The Data Protection Officer shall be directly responsible for ensuringcompliance with the above data retention periods throughout the Company;
8.4 Any questions regarding this Policy, the retention of personal data, or anyother aspect of GDPR compliance should be referred to the Data ProtectionOfficer.
9. Implementation of Policy
This Policy shall be deemed effective as of 16 April 2018. No part of this Policy shallhave retroactive effect and shall thus apply only to matters occurring on or after thisdate.
This Policy has been approved and authorised by:Name: Alan RodgersPosition: DirectorDate: 1 May 2021Review Date: 1 May 2022